Microsoft Vulnerabilities Hit a Record-High: Here’s Why

The tenth anniversary edition of our Microsoft Vulnerabilities Report paints a cautious picture of how the vulnerability landscape has taken shape over the past decade.

In 2022, Microsoft total vulnerabilities hit a record high. Since the launch of our report, we have seen such developments as the skyrocketing of Elevation of Privilege Vulnerabilities (650% across the past ten years), an overall increase in total vulnerabilities—partly driven by the development and expansion of new products and technologies—and a steady reduction of critical vulnerabilities. Based on this data, this report drew a few important conclusions:

1. Hackers’ objectives have remained consistent over the past decade.
2. The fundamental ways to mitigate threats have also remained constant—and are working.
3. Removing admin rights remains the most proactive step in the mitigation of vulnerabilities.

Let’s take a closer look at the latest findings below, the highlights from the 10-year trends that have driven us towards our current threat landscape, and the steps we can take to protect ourselves against the continuously expanding attack surface.

About the 10th anniversary edition of the Microsoft Vulnerabilities Report

Our 2023 anniversary edition provides a unique, holistic view of the Microsoft vulnerability landscape. As with previous reports, we provide a 12-month consolidated view and analysis of Microsoft Patch Tuesdays throughout 2022, providing annual data across Microsoft platforms and products. The findings not only assess the number of vulnerabilities, but also their severity rating, delivering a crucial barometer of the threat landscape for the Microsoft ecosystem.

In this year’s special edition, we also compare 10 years of Microsoft vulnerability trends, and include commentary and analysis from some of the world’s foremost authorities on cybersecurity – including Jane Frankland, Derek Hanson, Charles Henderson, Troy Hunt, Paula Januszkiewicz, Marc Maiffret, and Avi Shua. And, of course (because it is 2023), the report even includes insights from ChatGPT!

This year’s report, as with previous editions, provides valuable context into a decade of Microsoft vulnerability trends to help our readers understand what’s driving the threat landscape, where the threat landscape is growing, and how we need to prepare for future threats.

2023 Microsoft Vulnerabilities Report: key findings

Total vulnerabilities hit an all-time high

In 2022, total Microsoft vulnerabilities increased 7% over the previous year to hit 1,292, an all-time high since the report began 10 years ago. The development of new products and technologies is a main driver behind these climbing numbers. As Microsoft continues to create new products, improve existing products, and draw more customers, the new offerings provide new code, which increases the attack surface.

For example, Microsoft Azure and Dynamics 365 earned the biggest financial gains for the company in 2022 (cloud revenue accounted for 51.4% of Microsoft’s total revenue in 2022), but also contributed the largest gains in vulnerabilities, as represented by both the increase in number of vulnerabilities (70) and the percentage increased (159%) in 2022.

In addition, new technological development, such as in AI and ML, are expected to introduce entirely new classes of vulnerabilities that are even harder to track down and fix. A 2022 paper titled “Do Users Write More Insecure Code with AI Assistants?” supports this, with researchers from Stanford reporting that developers using AI assistants to write code are more likely to introduce security vulnerabilities than those who don’t rely on AI assistants.

Elevation of Privilege and Remote Code Execution categories continue to dominate

The Elevation of Privilege category dominated the Microsoft vulnerability landscape for the third year in a row in 2022, accounting for 55% of the total Microsoft vulnerabilities. Elevation of Privilege vulnerabilities increased by 22% over 2021 to 715, and demonstrated a 689% increase since 2017.

Despite continuing a slight downward trend (4% over 2021), Remote Code Execution remains the second-highest vulnerability category.

The fact that Elevation of Privilege and Remote Code Execution continue to top the charts in the vulnerability landscape indicates that hackers’ objectives remain the same: they need to gain privileges to execute their attack. Microsoft’s continued progress at reducing the number of critical vulnerabilities and removing excessive privileges, especially on endpoints, and the fact that more organizations are removing admin rights as a security best practice are driving the need for attackers to exploit elevation of privilege vulnerabilities to succeed.

Critical vulnerabilities hit a five-year low

The number of critical vulnerabilities dropped for the 2nd year in a row, hitting a five-year low of 89. This steady decline is largely a result of Microsoft’s threat reduction initiatives and dedication to the adoption of security patches and protocols. In 2022, only 6.9% of Microsoft vulnerabilities were rated as ‘critical’, compared to 44% in 2013.

These trends suggest that organizations that follow proper security hardening by ensuring operating systems and third-party software are up-to-date—and not end-of-life—can minimize the chance of a vulnerability-related breach. However, as this report demonstrates, patching and vulnerability management programs alone can leave organizations at-risk:

• Patching is not always possible, desirable/riskless, or successful (it can fail)
• Zero day vulnerabilities can be exploited before a patch is available – this could occur with more frequency as threat actors lean into AI-powered attack tools
• Vulnerabilities can continue to “snowball” even after they are patched.

It remains crucial for organizations to have proactive security defenses, such as least privilege, in place.

As past editions of the Microsoft Vulnerability Report have clearly found, removing admin rights continues to provide powerful, proactive protection—even against many zero day vulnerabilities and exploits. From the years 2015 – 2020 (when such Microsoft vulnerability data was available), our research found that 75% of Critical Microsoft vulnerabilities could have been mitigated by removing admin rights.

In addition to providing strong baseline security, removing admin rights and enforcing least privilege are two security criteria that are increasingly demanded by cyber insurance providers. These security controls are also consistent with zero trust security principles, and essential for implementing a zero trust architecture. This least privilege story hasn’t changed over the past decade and is just as relevant as ever. Least privilege enforcement has proved itself to be just as relevant to the cloud systems and IoT devices of today as it did to the legacy systems of yester-year (some of which are still operational).

Other important findings from the latest Microsoft Vulnerabilities Report

• Microsoft Edge experienced 311 vulnerabilities last year, but none were critical.
• There were 513 Windows vulnerabilities in 2022, 49 of which were critical.
• Microsoft Office experienced a five-year low of just 36 vulnerabilities in 2022.
• Windows Server vulnerabilities rose slightly to 552 in 2022.

The vulnerability snowball effect

This year, BeyondTrust’s lead cybersecurity researcher, James Maude, who drove the research and analysis behind the report, provides a detailed explanation of a vulnerability phenomenon that has a particularly prominent impact on Microsoft’s vast and ever-growing attack surface. What he coins ‘The vulnerability snowball effect’ is a consequence of the longtail of legacy code that much of the Microsoft ecosystem is built on.

While most new code is developed through secure development practices and is less likely to introduce new vulnerabilities than in earlier years, any legacy code that is used brings “baggage” (in the form of vulnerabilities) with it through the evolution of product versions.

Every so often, researchers stumble across an area that proves to be a goldmine of vulnerabilities. One vulnerability is found and patched, but in the process, this draws fresh attention to an area that may have evaded scrutiny in the past. New researchers dig in, only to find new vulnerabilities, new attack vectors, and new ways around previous patches—and the vulnerability count starts to snowball.

How to proactively reduce vulnerability risk

This year’s edition of the Microsoft Vulnerabilities Report explored five proactive steps organizations can take to reduce vulnerability risk:

1. Implement vulnerability management: Find, prioritize, and determine a remediation path for all vulnerabilities. Patching sooner than later can help you prevent a seemingly innocuous vulnerability from snowballing into a bigger threat.
2. Enforce least privilege: Removing local admin rights and “right-sizing” privileges can provide highly effective protection, even in the absence of patching. It has been proven to help break multiple points in the attack chain to significantly mitigate the risk of vulnerabilities.
3. Follow security hardening protocols: Always ensure your operating system and third-party software are up-to-date and you are not using end-of-life software in your environment.
4. Secure remote access pathways: Stretching Microsoft’s Remote Desktop Protocol (RDP), as well as VPNs and many other common remote access technologies, beyond their proper use cases can result in security exposures and breaches. You need to match the right tools for the right access use case.
5. Stay vigilant regarding emerging threats: Understanding the threats goes a long way toward making more informed decisions and keeping yourself secure.

Protecting against vulnerabilities with BeyondTrust

BeyondTrustproactively protects identities, access, and endpoints across your entire environment. BeyondTrust solutions stop threats and mitigate vulnerabilities by:

• Removing admin rights and implementing a true least privilege model, consistent with zero trust principles.
• Securing remote access pathways and infrastructure by ensuring all access by employees, vendors, and others is granularly controlled and audited.
• Preventing account hijacking and privilege escalation by securely managing all human and machine privileged credentials and secrets that touch the enterprise.
• Managing, monitoring, and auditing every privileged session.
• Providing advanced visibility into potential attack pathways so access can be proactively right-sized and attack vectors eliminated.
• Providing a centralized view of identities, accounts, and privileges access across your IT estate
• Leveraging threat intelligence recommendations to improve your identity security posture.

Our final piece of advice

Vulnerabilities (at least where software is concerned) are inevitable. As the technology landscape continues its next phase of evolution, vulnerability numbers will continue to climb, and new threats will continue to emerge. However, the fundamental ways to mitigate those risks have remained constant for well over a decade. Those organizations who successfully implement the proactive and preventative security controls set out in this report will be much better poised to withstand tomorrow’s threats—and to satisfy the rigorous compliance, forensic requirements, and security controls demanded by cyber insurance providers and underwriters.

Download the full Microsoft Vulnerabilities Report today for more insights, a detailed breakdown of the stats, and exclusive commentary from cybersecurity experts and thought leaders.