In 2021, only 104 critical vulnerabilities were reported, an all-time low for the world’s largest software company.
According to the annual BeyondTrust Microsoft Vulnerabilities 2022 report, overall vulnerabilities across Microsoft products decreased by five percent in 2021. While some products like Internet Explorer and Microsoft Edge have seen increases in the total number of vulnerabilities, the lowest number of Microsoft vulnerabilities to date has been classified as critical.
This trend also applied to Windows, Windows Server, Microsoft Office, Azure Cloud and Dynamics365, the ERP solution from Microsoft.
To create the Microsoft Vulnerability Report, the authors reviewed every Microsoft security bulletin from the previous year to provide a barometer of the threat landscape to the Microsoft ecosystem.
SEE: Windows, Linux, and Mac Commands Everyone Needs to Know (Free PDF) (TechRepublic)
The number of vulnerabilities in other categories, such as Other types of corruption, such as memory corruption, overflow, and cross-site scripting, also fell significantly across all Microsoft products between 2020 and 2021.
For the second year in a row, elevation of privilege has overtaken remote code execution as the security category with the most recorded vulnerabilities.
“Looking at the data this year, we can see the continued downward trend in critical vulnerabilities,” said James Maude, senior cybersecurity researcher at BeyondTrust, a privilege management and cloud security provider. “Put simply, this investment has made it significantly more difficult for an attacker to go from a browser vulnerability to full control of the system in one go.”
Vulnerabilities in Microsoft products
Vulnerabilities in Internet Explorer and Edge
In 2021 there were a record-breaking 349 vulnerabilities in Internet Explorer and Edge, almost four times the number in 2020, although only six were rated critical.
This sudden surge is due to the consolidation of the browser market (with Edge inheriting Chrome browser technology from Google), fewer browser plug-ins like Adobe Flash to attack, and improved transparency in security vulnerability reporting attributed by Google, the report said.
In 2020, there were 507 vulnerabilities in the Windows 7, Windows RT, Windows 8/8.1 and Windows 10 operating systems. Sixty of the vulnerabilities in the Windows 10 operating system were classified as critical. Overall, Windows vulnerabilities have decreased by 40% compared to 2020 and by 50% over the past five years.
“Microsoft’s more aggressive stance on updating Windows also translates into a reduction in the time systems are at risk of vulnerabilities,” the report said. “This two-point combination of fewer vulnerabilities and faster patching is a welcome advance after the relentless push of 2020.”
Microsoft Office vulnerabilities
Of the 66 Office vulnerabilities reported, only one was classified as critical. While this is good news, Office applications are still vulnerable to legacy exploits like the Equation Editor bug, although patches have been available for years.
“Many malware toolkits contain numerous Office exploits compiled over the last 10 years with the aim of finding an unpatched system,” the report states. “These toolkits and strategies have proven extremely successful for many threat actors.”
Vulnerabilities in Windows Server
Vulnerabilities in Windows Server have fallen to their lowest level since 2018, the report said. Compared to 2020, the number of Windows Server vulnerabilities decreased by 41% while critical vulnerabilities decreased by 50%.
“It took Microsoft multiple generations of Windows Server to get to an inherently more secure version,” the report said. “The latest versions of Windows Server have fewer vulnerabilities than ever before, despite being among the largest code bases for any operating system.”
Vulnerabilities in Azure and Dynamics 365
Of the 30 vulnerabilities in Azure, only five were classified as critical. Dynamics 365 had six critical vulnerabilities in 2020.
The report identified three vulnerabilities as particularly problematic:
- Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-28480 and CVE-2021-28481)
- Windows DNS Server Remote Code Execution Vulnerability (CVE-2021-34473, CVE-2021-26894, CVE-2021-26895, and CVE-2021-26897)
- Microsoft Defender for IoT Remote Code Execution Vulnerability (CVE-2021-42311 and CVE-2021-4231)