The 2022 Edition of the Microsoft Vulnerabilities Report is Out – Despite Uneven Progress, a Picture of Elevated Vulnerabilities Remains

The ninth annual edition of our ever-popular Microsoft Vulnerabilities Report has landed, and it’s one of the most important reads for any cybersecurity professional this year.

In this 2022 edition, as with previous reports, we provide a 12-month consolidated view and analysis of Microsoft Patch Tuesdays throughout 2021. This report delivers a crucial barometer of the threat landscape for the Microsoft ecosystem. The report includes commentary and analysis from some of the world’s foremost authorities on Microsoft and cybersecurity – including Paula Januszkiewicz, Sami Laiho, and Russell Smith.

Encompassing Microsoft platforms and products, the findings not only assess the number of vulnerabilities, but also their severity rating. On top of this, we have created a ‘Report Retrospective’ section, which offers a six-year vulnerability trend analysis. This provides valuable context into understanding where the threat landscape is growing, and how we need to prepare for the future.

With approximately 1.5 billion people relying on Windows operating systems every day, and 27% of breaches being caused by unpatched vulnerabilities, it is paramount that organizations stay ahead of malicious actors who are taking advantage of the expanding attack surfaces.

Let’s take a closer look at the latest findings below.

2022 Microsoft Vulnerabilities Report: Key Findings

Last year’s report set a high watermark for total Microsoft vulnerabilities, recording a steep rise over the previous year. In 2021, Microsoft vulnerabilities dropped to 1,212 – a 5% decrease from the 1,268 recorded in 2020. On paper, a decrease may sound positive, but keep in mind that this number is still elevated when looking at the historic data of Microsoft vulnerabilities.

Another interesting discovery in this year’s research is that, for the second year running, the Elevation of Privilege category of vulnerabilities towered above all other categories. In 2021, Elevation of Privilege vulnerabilities accounting for nearly half (49%) of all Microsoft vulnerabilities. Prior to 2020, Remote Code Execution was consistently the most common type of Microsoft vulnerability. This sudden, and persistent, change could owe to multiple factors. We suspect that attackers are seeking new ways to gain privileges since more organizations are removing admin rights as a security best practice.

Without easy access to users with local admin rights, attackers have started to innovate to gain elevated privileges that can then be used to compromise systems, steal credentials, and move laterally. In addition to this, the ever-increasing attack surface of cloud applications and systems provides an environment where elevated privileges are highly desirable to a threat actor.

Other key findings from the latest Microsoft Vulnerabilities Report include:

• Most of the high-impact vulnerabilities detailed in the report highlight the risks of on-premise technology and that a shift to the cloud can improve an organization’s security
• Vulnerabilities in IE and Edge in 2021 were at a record high of 349, roughly 4x the previous year’s totals
• There was a 47% decrease in Critical Microsoft vulnerabilities year-over-year, marking a record low for this report
• Windows vulnerabilities decreased by 40% year-over-year

Microsoft’s ‘Cloud’ Has a Silver Lining

A positive takeaway from this year’s report is how well Microsoft is performing when it comes to security in their cloud services. Vulnerabilities in Azure and Dynamics 365 remained consistently low for the last couple of years.

In fact, most of the high-impact vulnerabilities we detail within the report also highlight the risks of on-premises technology and indicate that a shift to the cloud can improve an organization’s security.

Microsoft’s Move to a Common Vulnerability Scoring System (CVSS)

One of the most significant changes for this year’s report is the fact that, in November 2020, Microsoft shifted over to a CVSS format for reporting their vulnerabilities. This new system makes it easier for Microsoft’s vulnerabilities to be cross-referenced with third-party bugs. However, there has been an unfortunate trade-off in the process.

Prior to its move to the CVSS format, Microsoft had been using their own method of sharing CVE details via their Security Update Guide. The former reporting format used to feature an executive summary for each reported vulnerability. From this summary, security researchers could deduce whether any given vulnerability (specifically, the Critical ones) could have been mitigated had admin rights been removed from the user. Unfortunately, this type of important analysis is no longer possible. With that said, removing admin rights remains a best practice that is as important as ever to reduce the expanding attack surfaces as a consequence of digital transformation initiatives, to and provide proactive threat prevention and mitigation.

How to Proactively Reduce Vulnerability Risk

While there was a slight dip in total vulnerabilities in 2021 as compared to 2020, Microsoft vulnerabilities are just slightly off their all-time highs. Timely patching and an automated vulnerability management program are important ways to minimize the chance of a vulnerability-related breach.

However, with patching and vulnerability management programs alone, organizations remain at-risk to zero-day exploits. In addition, patching vulnerabilities is not always straightforward, or even desirable, based on an organization’s environment. That’s why it’s crucial to have proactive security defenses in place.

As past editions of the Microsoft Vulnerability Report have clearly found, removing admin rights is a powerful defensive measure, even providing proactive protection against many zero day threats. From the years 2015 – 2020 (when such data was available), removing admin rights could have mitigated, on average, 75% of Critical Microsoft vulnerabilities. In addition to providing strong baseline security, removing admin rights and enforcing least privilege are increasingly demanded by cyber insurance providers, and are controls consistent with zero trust security principles.

In his exclusive commentary for the 2022 report, Sami Laiho – Senior Technical Fellow and Microsoft MVP - states, “I’ve done hundreds of big projects on this, removing more than 1 million local admins from companies, and the results speak for themselves... I have customers who saw 75% fewer Service Desk tickets after removing admin rights. Computers just work better when you don’t have privileges to break them.”

In the report, Russell Smith, Editorial Director of Petri IT Knowledgebase, affirms “I have always been a strong advocate for limiting access to admin rights. But despite the importance of running with standard user privileges for protecting systems and data, it is still not possible to natively manage in Windows today… BeyondTrust continues to provide the best solution for enabling that fine balance between security and usability in Windows.”

BeyondTrust’s integrated platform and solutions proactively protect all identities, access, and endpoints across your entire environment. Our class-leading Endpoint Privilege Management solution can:

• Quickly Implement Least Privilege: Eliminates local admin rights across all endpoints and achieves rapid time-to-value with out-of-the-box Quick Start policies
• Stop Phishing, Ransomware & Malware: Reduces attack surfaces by assigning Just-in-Time (JIT) privileges only to approved applications scripts, tasks, and commands that require them
• Ensure Compliance: Addresses internal and external compliance needs by removing excess privileges, using application whitelisting, and providing an audit trail of user activity

Download the full Microsoft Vulnerabilities Report today for more insight, a detailed breakdown of the stats, and exclusive commentary from cybersecurity experts and thought leaders.