BeyondTrust, the intelligent identity and access security company, has released its Annual Microsoft Vulnerabilities Report. The report reveals that vulnerability numbers remain high. Elevation of Privilege remained the top vulnerability category for the fourth consecutive year, accounting for 40 per cent of all Microsoft vulnerabilities in 2023. Total vulnerabilities have maintained a four-year holding pattern near record highs.
This annual report analyses data from Microsoft’s security bulletins over the past year, providing crucial insights to help organisations understand, identify, and address risks within their Microsoft ecosystems.
The report categorises vulnerabilities into several main types: Remote Code Execution (RCE), Elevation of Privilege (EoP), Information Disclosure, Denial of Service (DDoS), Spoofing, Tampering, and Security Feature Bypass. It also examines how these vulnerabilities are exploited in identity-based attacks, highlighting significant CVEs of 2023 with severity scores of 9.0 and above.
Key Highlights:
- Elevation of Privilege accounted for 40% of all Microsoft vulnerabilities in 2023.
- Total vulnerabilities have stayed near their highest-ever numbers, between 1,200 and 1,300, since 2020.
Key Findings:
- After reaching an all-time high in 2022, total vulnerabilities remain near record levels.
- Elevation of Privilege remains the dominant category, representing 40 per cent of total vulnerabilities.
- Denial-of-service vulnerabilities 51 per cent to a record high, while Spoofing vulnerabilities increased dramatically by 190 per cent.
- Critical vulnerabilities have decreased by 6%, continuing a downward trend but at a slower pace.
- Vulnerabilities in Microsoft Azure & Dynamics 365 nearly halved from 2022 to 2023.
- Microsoft Edge saw 249 vulnerabilities, with only one classified as critical.
- Windows had 522 vulnerabilities, with 55 deemed critical.
- Microsoft Office experienced 62 vulnerabilities.
- Windows Server had 558 vulnerabilities, with 57 classified as critical.
In a conversation with edge/ James Maude, Field CTO, BeyondTrust deep dives into the report:
Can you tell us more about your involvement and findings?
I’ve been deeply involved in researching Microsoft’s vulnerabilities for over 11 years. This long history has allowed me to observe significant trends and changes in the security landscape. In my latest interview for the report, I discussed vital findings on vulnerabilities, particularly the shifts and stability in critical vulnerabilities over time. This research has highlighted improvements and ongoing challenges within Microsoft’s security practices.
Could you elaborate on the key findings regarding Microsoft’s vulnerabilities?
One of the most notable findings is the plateau in critical vulnerabilities. These used to constitute nearly 50% of all vulnerabilities reported by Microsoft each year. Over the past few years, however, this number has stabilised around 100, with recent figures showing 104, 89, and 84 critical vulnerabilities, respectively.
This plateau suggests that progress has stalled while there is a concerted effort to reduce critical vulnerabilities. Despite significant efforts, we have not seen the dramatic decreases that were expected. This stability indicates that while critical vulnerabilities are not increasing, they are also not being significantly reduced, which is a concern given the evolving threat landscape.
What does the plateauing of vulnerabilities signify for Microsoft’s security landscape?
The plateau in critical vulnerabilities speaks volumes about Microsoft’s broader security culture and operational challenges. It’s a double-edged sword. On one hand, it’s positive that we are not seeing an increase in critical vulnerabilities, which could suggest that existing security measures are somewhat effective. On the other hand, the lack of a significant decrease suggests that these measures are not as effective as they could be.
This plateau indicates that more must be done to address and mitigate vulnerabilities proactively for a company as significant and influential as Microsoft, which dominates much of the IT landscape.
Can you explain the observed trend in critical vulnerabilities and their recent stability?
Over the past few years, we’ve seen significant shifts in the landscape of Microsoft’s critical vulnerabilities. For example, reducing vulnerabilities in legacy software, such as the end of Internet Explorer, was a significant win. However, in the last three years, critical vulnerabilities have remained relatively stable, hovering around 100 per year. This suggests that while Microsoft has successfully phased out older, more vulnerable products, it has faced challenges in reducing vulnerabilities in newer and more complex systems, particularly in cloud services. For instance, a notable spike in cloud-related vulnerabilities, such as SQL injection, remains a persistent issue. This stability indicates that while progress has been made, there are still significant areas where Microsoft needs to improve its security measures.
Why is the stability of vulnerabilities not a positive sign in this context?
When we talk about driving forward security programs, the goal is always to learn from past mistakes and continuously improve. The fact that the number of vulnerabilities has stabilised rather than decreased suggests systemic issues are preventing further progress.
Given Microsoft’s rapid growth and expansion into cloud services, the expectation was that the number of vulnerabilities would decrease as older products were phased out and new, more secure products were introduced.
However, this hasn’t happened. The stable number of vulnerabilities indicates that while Microsoft manages to keep new vulnerabilities from dramatically increasing, it is not effectively reducing the existing ones. This suggests a need for more aggressive and innovative security strategies.
What challenges has Microsoft faced in reducing vulnerabilities, especially in legacy systems like the Print Spooler service?
Legacy systems pose unique and significant challenges. The Print Spooler service, for instance, has been a constant source of vulnerabilities year after year. This service is a part of the Windows operating system that has been around for decades, and it’s clear that addressing vulnerabilities in such deeply embedded legacy code is exceptionally challenging.
Despite focused efforts, it has taken years to stem the tide of new vulnerabilities in the Print Spooler. This indicates the broader difficulties in managing and securing legacy systems, which often contain old, complex, and sometimes poorly documented code that can be difficult to update and secure without introducing new issues.
Do you think the challenges Microsoft faces indicate a larger industry problem?
Yes, this is a broader industry issue. Different vendors have varying levels of maturity when it comes to dealing with security vulnerabilities. Some companies lack responsible disclosure programs or are unwilling to work with security researchers. For instance, some vendors do not entertain reports of vulnerabilities unless they come from paying customers, while others might issue legal threats to researchers reporting vulnerabilities.
This inconsistency in handling vulnerabilities indicates a more significant problem within the software industry. Software vulnerabilities are inevitable, and how companies handle them is crucial. The maturity of a company’s vulnerability management program often determines its overall security posture.
With the rise of generative AI, how do you see its impact on security, particularly for Microsoft?
Generative AI introduces both opportunities and challenges in security. AI has the potential to both uncover and exploit vulnerabilities and help prevent them. Research has shown that coders using AI assistants to write code can inadvertently introduce more vulnerabilities. This is because AI-generated code might lack context and fail to account for all security nuances. Additionally, the explainability of AI-generated code is a concern. If AI introduces complex vulnerabilities, understanding and mitigating them can be challenging. There’s also the issue of malicious use of AI, where threat actors could leverage AI to find and exploit vulnerabilities more efficiently. Therefore, while AI can be a powerful tool for improving security, it also introduces new risks that must be managed.
What are your thoughts on the recent trends in Microsoft Office vulnerabilities?
Microsoft Office has been a significant target for attacks, primarily through phishing emails and malicious macros. Over the past decade, Office documents and email attachments have become synonymous with cyberattacks. Microsoft has made significant efforts to improve Office’s security, such as restricting internet-downloaded macros by default and enhancing how Office runs to protect the system. Despite these efforts, vulnerabilities in Office have seen a resurgence.
This resurgence indicates a shifting focus and priorities within Microsoft. For example, as Microsoft focuses on newer products and services, legacy products like Office may not receive the same level of attention, increasing vulnerabilities.
Looking forward, what trends do you see in the security landscape for the rest of
One of the significant trends we’re seeing is a shift towards identity security. With more data moving to the cloud, attackers find it easier to capture user credentials than to exploit endpoint vulnerabilities. This shift necessitates a focus on identity and privilege access management.
The traditional perimeter and endpoint security models are evolving, and identity security is becoming the new frontier. Attackers are increasingly targeting identity systems because compromising an identity can grant them broad access to sensitive data and systems.
This trend highlights the need for robust security measures and a holistic approach to managing and securing identities. Additionally, we expect to see continued innovation from attackers and the emergence of new vulnerabilities, which will require continuous learning and adaptation from security professionals.
The key takeaway is the need for continuous improvement and learning in security practices to manage and mitigate vulnerabilities better. Like many other companies, Microsoft faces significant challenges securing its products and services, especially as it grows and expands into new areas. Addressing these challenges requires a proactive and innovative approach to security and a willingness to learn from past mistakes and continuously improve.
