The eighth annual edition of our popular Microsoft Vulnerabilities Report is here, and what a big one it is. The 2021 edition of the report provides a 12-month consolidated view and analysis of Microsoft patch Tuesdays through 2020, providing a crucial barometer of the threat landscape for the Microsoft ecosystem. This report also includes commentary and analysis from some of the world’s foremost authorities on Microsoft and cybersecurity.
Encompassing Microsoft platforms and products, the Microsoft Vulnerabilities Report not only assess the number of vulnerabilities, but also their severity rating—and most importantly, how many of them could be broadly mitigated. The report also offers a five-year trends analysis, which provides valuable context into understanding where the threat landscape is growing, and what we need to prepare for on the horizon.
Over the past five years, exploitation of unpatched vulnerabilities resulted in numerous high-profile breaches, including 2017’s WannaCry, 2018’s Ryuk Ransomware attack, and this year’s Microsoft Exchange Server attack. The spotlight is on why these breaches continue to happen long after patches have been issued, what else could be done to mitigate the attacks.
Finally, it is worth noting that (approximately) 1.5 billion people use Windows operating systems every day, and one in three breaches are caused by unpatched vulnerabilities. Clearly it is vital that organizations stay one step ahead of threat actors who are exploiting this growing landscape.
Fortunately, this report is the perfect catalyst to act now and secure your organization. So with that, let’s take a closer look at the latest findings below.
2021 Microsoft Vulnerabilities Report: Key Findings
The first and arguably most concerning discovery in this year’s report is the sheer volume of vulnerabilities in 2020. A total of 1,268 were reported, which marks a colossal 48% rise over the previous year (858). This is in fact the sharpest spike since the inception of the Microsoft Vulnerabilities Report, and means that, since 2016, total vulnerabilities have increased by 181%.
Another interesting find this year was a reshuffling in prominence of vulnerability categories. In previous reports, ‘Remote Code Execution’ was consistently the most common Microsoft vulnerability, however last year – for the first time – ‘Elevation of Privilege’ attacks rose significantly (trebling, in fact), making it the number one route for attack, and accounting for 44% of LL Microsoft vulnerabilities in 2020.
The reason for this reshuffling and explosion of privilege elevation vulnerabilities can be difficult to quantify, but our Lead Cybersecurity Researcher, James Maude, suspects that ‘it could reflect a decreasing availability of easily compromised admin accounts, driving threat actors to utilize different attack vectors in cyberbreaches.’ Of course, easily compromised admin accounts have, unfortunately, certainly not gone away as a threat, as demonstrated by the recent Verkada IoT camera breach.
A constant focus for us has always been vulnerabilities marked as ‘Critical’ by Microsoft. By their own definition, a ‘Critical’ vulnerability is one “whose exploitation could allow the propagation of an internet worm without user action, and possibly without even a prompt.” These are the most dangerous vulnerabilities as they could allow a remote attacker to execute commands on a vulnerable computer and essentially take full control over it.
In 2020, there were a total of 196 Critical vulnerabilities reported. Interestingly though, 109 (that’s 56%) of them could have been mitigated if one simple action had been taken: the removal of administrator rights. This has proven a common theme over the years, yet many organizations are still dragging their feet when it comes to admin rights removal, which is a key part of applying the security principle of least privilege (PoLP).
Weighing in on the report, Microsoft MVP & Ethical Hacker, Sami Laiho, says, “the removal of admin rights provides great proactive protection. We need to secure the components that execute malicious payloads, especially in important apps that browse the web or read email. The numbers in this report prove that removing admin rights will give you protection for Outlook, Office, IE, and Edge.”
As highlighted by Sami, the numbers tell the story. In 2020:
- 90% of Critical vulnerabilities in Internet Explorer would have been mitigated through the removal of admin rights
- 85% of Critical vulnerabilities in Microsoft Edge would have been mitigated through the removal of admin rights
- 100% of all Critical vulnerabilities in Microsoft Outlook products would have been mitigated by removing admin rights
How to Effectively Removing Admin Rights & Mitigate Vulnerabilities
With such strong and continuous evidence demonstrating the benefits of removing admin rights, why are many organizations hesitant to do so? The prominent reason is the fear of being unable to find the right balance between user productivity and adequate security measures. The worry of an overloaded IT Service Desk handing help desk tickets related to access is another key factor, as overlocked environments would typically lead to users requested access many times to complete the most basic tasks. Of course, malware infections and other attacks that come with excessive amounts of privilege also result in increased service desk tickets and many other undesirable issues!
