The entire variety of Microsoft vulnerabilities reported in 2021 dropped by 5%, reversing a five-year development that noticed such vulnerabilities rising sharply, in line with a brand new report from id administration and safety vendor BeyondTrust.
A complete of 1,212 new vulnerabilities had been found in 2021, however their severity, in addition to their location within the Microsoft household of software program merchandise, has modified considerably 12 months over 12 months. Vulnerabilities rated as “vital” on the CVSS commonplace dropped by 47% up to now 12 months, reaching their lowest ranges since BeyondTrust started issuing this report, 9 years in the past.
Vulnerabilities on Home windows, Home windows Server drop
Home windows and Home windows Server each noticed sharp drops in complete vulnerabilities detected, by 40% and 50%, respectively, whereas vulnerabilities affecting Microsoft’s Edge and Web Explorer browsers hit a report excessive.
Helping within the newest evaluation is Microsoft’s transfer to NIST’s frequent vulnerability scoring system, which lets researchers cross-reference safety flaws extra instantly with bugs within the exterior ecosystem.
The commonest kind of vulnerability seen in 2021 concerned privilege elevation, the place an attacker positive factors admin rights to a system via illicit means. A complete of 588 such vulnerabilities had been found in 2021. BeyondTrust’s researchers credit score a extra widespread adherence to good safety practices for this rise — perversely, a basic lower in customers with pointless admin privileges helped focus dangerous actors’ efforts on makes an attempt to achieve elevated privileges in numerous methods.
Attackers innovate to achieve admin rights
“With out easy accessibility to customers with native admin rights, attackers have began to innovate to achieve elevated privileges that may then be used to compromise techniques, steal credentials, and transfer laterally,” the report mentioned.
The second-most frequent kind of vulnerability centered on distant code execution, which is especially harmful since assaults focusing on such flaws might be performed remotely, with little or no person interplay required. A complete of 326 of those vulnerabilities had been present in 2021, 35 of which rated a 9.0 or increased on the CVSS scale.
“With this kind of threat, a workable exploit is just not a matter of ‘does an exploit exist,’ however fairly ‘when will or not it’s publicly out there,'” mentioned the BeyondTrust report.
The report additionally broke out vulnerabilities in key Microsoft merchandise, together with Azure, Home windows and Microsoft Workplace. The latter noticed only one vital vulnerability, in comparison with a complete of 66 present in 2021, whereas the identical numbers for Azure and Dynamics 365 had been seven and 44, respectively.
BeyondTrust’s researchers praised Microsoft’s constant efforts to maintain Azure protected, and lauded a “regular decline” in Workplace vulnerabilities. Equally, the Home windows working system itself noticed a 40% drop in complete vulnerabilities in 2021 in comparison with the earlier 12 months, with a 50% drop in vital safety flaws.
Copyright © 2022 IDG Communications, Inc.
