Microsoft product vulnerabilities reached a new high of 1,268 in 2020

56% of all Microsoft critical vulnerabilities could have been mitigated by removing admin rights, according to the 2021 BeyondTrust Microsoft Vulnerabilities Report.

data security

Image: Anawat Sudchanham/EyeEm/Getty Images

The total number of vulnerabilities in Microsoft products reached an all-time high of 1,268 in 2020, a 48% increase year over year, according to a new report. Windows, with 907 issues, was ridden with the most vulnerabilities. Of those, 132 were critical.

More about cybersecurity

“Windows 10 was touted as the ‘most secure Windows OS’ to date when it was released, yet it still experienced 132 critical vulnerabilities last year … Removing admin rights could have mitigated 70% of these critical vulnerabilities,” according to the Microsoft Vulnerabilities Report 2021 by BeyondTrust, which examined vulnerability data in security bulletins–known as Patch Tuesday—posted by Microsoft in the past year. Unpatched vulnerabilities are responsible for one in three breaches around the world, the BeyondTrust report said. Approximately 1.5 billion people use Windows operating systems every day, according to the report.

Microsoft declined to comment.

SEE: Microsoft Exchange Server vulnerabilities, ransomware lead spring 2021 cyberattack trends (TechRepublic)

Flaws by product

Windows Server had the largest number of critical issues: 138 of 902 vulnerabilities were deemed critical in 2020. Overall, Windows 7, Windows RT, Windows 8/8.1 and Windows 10 comprised the rest of that figure, the report said.

Issues were also discovered in other Microsoft products, including Microsoft Edge and Internet Explorer 8, 9, 10 and 11. Together, the browsers had 92 vulnerabilities in 2020, and 61 of them, or 66% of these were determined to be critical, according to the report.

The BeyondTrust report noted that there were 27 critical vulnerabilities in Internet Explorer 8, 9, 10 and 11 during 2020. “Removing admin rights could have mitigated 24 of them, eliminating 89% of the risk,” the report said. 

Critical vulnerabilities in Microsoft Edge decreased last year, from 86 to 34. Of those 34, removing admin rights could have mitigated 29 of them (85%), the BeyondTrust report said.

In Microsoft Office, there were 79 vulnerabilities in Excel, Word, PowerPoint, Visio, Publisher and other Office products. Of the 9, only five of those were considered critical, “and removing admin rights would have mitigated four of them in all Office products,” the report said.

A total of 902 vulnerabilities were reported in Microsoft Security Bulletins affecting Windows Servers in 2020–a 35% increase over the previous year. Of the 138 vulnerabilities with a critical rating, 66% could be mitigated by the removal of admin rights, according to the report.

The most common vulnerability was Elevation of privilege

While there were a wide number of vulnerabilities found in various Microsoft products in 2020, for the first time, Elevation of privilege, which occurs when an application gains rights or privileges that should not be available to them, accounted for the largest proportion. It almost tripled in number year over year from 198 in 2019 to 559 in 2020, making up 44% of all Microsoft vulnerabilities in 2020.

Such vulnerabilities allow malicious actors to gain higher-level permissions on a system or network. The attacker can then use these privileges to steal confidential data, run administrative commands, or install malware.

Fifty-six percent of all Microsoft critical vulnerabilities could have been mitigated by removing admin rights, the report said.

“Enforcing least privilege is the fastest and most effective measure to address this problem,” the report said.

“In the past, a ransomware attack would have targeted one vulnerability; now a single strain can target a dozen or more,” the BeyondTrust report said. “Once attackers gain access to your network via a phishing email, they can seek and target endpoints you haven’t patched.”

Zero trust is a must

The BeyondTrust report also included commentary from cybersecurity experts. Remote work changed the paradigm of cybersecurity in 2020 as homes became individual offices, said Chuck Brooks, a cybersecurity professor at Georgetown University, in the report.

“As a result of a greatly expanded digital attack surface, phishing attacks are up 600%, including Covid-19-themed phishing attacks aimed at workers mixing personal and work devices over non-secure Wi-Fi networks,” Brooks said. “A majority of those remote work-related breaches emanated from a lack of visibility by administrators over employee access policies and vulnerable endpoints.”

To adjust to the remote work model, companies need to better manage the proliferation of desktop and mobile devices, including applying patches and security updates, he said.

“Controlling user privileges and employing stronger endpoint management under a zero-trust framework are prudent initiatives for companies to follow as digital connectivity grows,” Brooks said.

He acknowledged that it can be a significant challenge to validate the security configurations, controls and patches in a remote scenario and it is difficult to protect what you cannot see.

“However, this gap can be mitigated by removing employee administration rights by assuming they are at risk,” Brooks said. “In simple terms, zero trust for anything outside the CISO’s team or administrator’s direct control.”

Sami Laiho, a Microsoft MVP and ethical hacker, said that the huge jump in the number of vulnerabilities indicates that more and more security researchers are actively helping companies protect themselves–but at the same time, cyberattackers are doing the same to actively search for vulnerabilities.

Laiho suggested that companies look at allow-listing, as long as they have the Principle of Least Privilege in place. This gives the ability to add “maybe a rule a month to the ‘good application’ or ‘locations’ list while deny-listing needs to add more than a million lines to the list every day.”

He added that “the Windows security subsystem was not built to withstand the use of admin rights.”

Laiho also suggested the removal of admin rights as “a great proactive protection.”

Also see