In record year for vulnerabilities, Microsoft actually had fewer
Occasional gaping hole and overprivileged users still blight the Beast of Redmond
Despite a record number of publicly disclosed security flaws in 2021, Microsoft managed to improve its stats, according to research from BeyondTrust.
Figures from the National Vulnerability Database (NVD) of the US National Institute of Standards and Technology (NIST) show last year broke all records for security vulnerabilities. By December, according to pentester Redscan, 18,439 were recorded. That's an average of more than 50 flaws a day.
However just 1,212 vulnerabilities were reported in Microsoft products last year, said BeyondTrust, a 5 percent drop on the previous year. In addition, critical vulnerabilities in the software (those with a CVSS score of 9 or more) plunged 47 percent, with the drop in Windows Server specifically down 50 percent. There was bad news for Internet Explorer and Edge vulnerabilities, though: they were up 280 percent on the prior year, with 349 flaws spotted in 2021.
BeyondTrust commented that analysis had been simplified by Microsoft's move to the Common Vulnerability Scoring System (CVSS), although an unfortunate side effect meant that security gurus can now determine the impact of administrative rights on critical vulnerabilities.
"From 2015 to 2020," said the report, "removing admin rights could have mitigated, on average, 75 percent of critical vulnerabilities."
It's a very good point: keeping permissions to the bare minimum is excellent practice, although difficult to enforce.
The decline in vulnerabilities marks a change for Microsoft. In 2016, the count of vulnerabilities stood at 451, according to the report. By 2020 they had leapt to 1,268. A drop, even if only to 1,212, is a first. It's just as well since between 2019 and 2020, there was a 48 percent rise in vulnerabilities year on year.
And the trendiest categories are...
The report also drilled into vulnerability categories. Topping the table with 326 and 588 vulnerabilities respectively were Remote Code Execution and Elevation of Privilege flaws, with the latter up from 559 in 2020. RCE was itself down in 2021 from 345 in the prior year.
- Quad nations pledge deeper collaboration on infosec, data-sharing, and more
- About half of popular websites tested found vulnerable to account pre-hijacking
- Predator spyware sold with Chrome, Android zero-day exploits to monitor targets
- Patch now: Zoom chat messages can infect PCs, Macs, phones with malware
Explaining the apparent explosion in Edge and Internet Explorer numbers (349 vulnerabilities up from 92 in 2020), BeyondTrust pointed to a consolidation in the browser market and a renewed focus on browser attacks as exploited plugins (such as Flash) were dropped and bug bounties made reporting vulnerabilities more financially attractive. It also pointed out that only six were critical (a record low).
The decline in Windows vulnerabilities was attributed to Microsoft's efforts to improve the security architecture of its supported products, as was the fall in Windows Server holes. The move from security as an afterthought to something front and center is also a factor, even if it has taken a few iterations of operating systems.
That said, there were some spectacular holes in the company's products during 2021. Last year's Exchange Server vulnerabilities, for example, left many administrators scrambling to patch systems. 2021's stability, from the standpoint of Microsoft's vulnerabilities, must be considered alongside the rapid rises of previous years.
As the report authors note, simply patching the problems might not deal with the underlying issues. Removing admin rights and privileges also play a part in reducing the attack surface. ®