SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
1,292 Microsoft vulnerabilities in 2022, according to report
Thu, 23rd Mar 2023
FYI, this story is more than a year old

BeyondTrust has released its 2023 Microsoft Vulnerabilities Report, finding vulnerabilities rose to 1,292 in 2022, an all-time high in the report’s 10-year history.

This report marks the 10th-anniversary edition and covers a decade of vulnerability insights, providing valuable information and helping companies examine the past and present of Microsoft’s vulnerability landscape to plan for the future.

BeyondTrust’s report analyses data from the security bulletins that Microsoft publicly issued throughout the previous year.

This year’s report looks at the 2022 Microsoft vulnerabilities data, highlighting important changes and trends in the previous 12 months.

The report emphasises some of the most significant CVEs of 2022 and breaks down how attackers take advantage of them, as well as how they can be prevented or mitigated.

Microsoft allocates product vulnerabilities into different categories, including Remote Code Execution, Elevation of Privilege, Security Feature Bypass, Tampering, Information Disclosure, Denial of Service, and Spoofing.

The latest data shows Elevation of Privilege remains the leading vulnerability category in 2022 for the third consecutive year, comprising 55% (715) of the total Microsoft vulnerabilities for the year.

A key finding of the report is that, as previously mentioned, Microsoft vulnerabilities grew to 1,292 in 2022.

However, BeyondTrust notes that the number of vulnerabilities is not the only concerning aspect of this, adding that the unique threat and impact that individual vulnerabilities pose should also be a worry.

Further, Microsoft Azure and Dynamics contributed the most to Microsoft’s revenue but also saw the largest increase in vulnerabilities.

These services saw a drastic increase of 159%, rising from 44 in 21 to 114 in 2022.

2022 also saw 6.9% of Microsoft’s vulnerabilities rated “critical”, a significant decrease from 44% in 2013.

Microsoft Edge experienced 311 vulnerabilities last year, but none were “critical”.

In addition, there were 513 Windows vulnerabilities, and 49 of these were considered “critical”.

BeyondTrust’s report also notes Microsoft Office experienced a five-year low of just 36 vulnerabilities, while Windows Server vulnerabilities rose slightly to 552.

The report includes commentary from a panel of some of the world’s leading cybersecurity experts, who weigh in on its findings.

These cyber leaders offer insights into how defences might develop as the industry looks to the next decade in cyber threats and vulnerabilities.

“Microsoft has a high volume of vulnerabilities that we have seen increase over the last 10 years of our research,” says James Maude, Lead Security Researcher at BeyondTrust.

“This report outlines many of the risks, and highlights the importance of timely patching alongside the removal of excessive administrative rights to mitigate the risks.”

BeyondTrust says the previous decade has resulted in an increase in Microsoft vulnerabilities throughout all its categories, with Elevation and Privilege vulnerabilities growing 650%.

New Microsoft products have caused the overall vulnerability growth during this time, with the increase of Azure and Dynamics 365 vulnerabilities over the previous year largely the result of Azure Site Recovery Suite.

BeyondTrust says if there’s one positive to come out of the last 10 years of vulnerabilities, it’s that the fundamental ways to manage these risks have remained unchanged throughout the decade and before 2013 as well.

Least privilege enforcement has shown it is just as relevant to the current cloud systems and IoT devices as it is to legacy systems, some of which are still operational.

Using BeyondTrust’s Endpoint Privilege Management offerings can allow businesses to achieve least privilege fast, giving them strong security while allowing them to maintain productivity.