Elevation of Privilege is the #1 Microsoft vulnerability category

BeyondTrust announced the release of a report which includes the latest annual breakdown of Microsoft vulnerabilities by category and product, as well as a six-year trend analysis, providing a holistic understanding of the evolving threat landscape.

The report analyzes data from security bulletins publicly issued by Microsoft throughout the previous year.

Microsoft groups vulnerabilities that apply to one or more of their products into the following main categories: Remote Code Execution, Elevation of Privilege, Security Feature Bypass, Tampering, Information Disclosure, Denial of Service, and Spoofing. The findings in this year’s report will help organizations better understand and address risks within the Microsoft ecosystem.

Breakdown of Microsoft vulnerabilities

• For the second year running, Elevation of Privilege was the #1 vulnerability category, accounting for 49% of all vulnerabilities in 2021
• Of the 326 remote code execution vulnerabilities reported in 2021, 35 had a CVSS score of 9.0 or higher
• Most of the high-impact vulnerabilities detailed in the report highlight the risks of on-premises technology, indicating that a shift to the cloud can improve an organization’s security
• Vulnerabilities in IE and Edge in 2021 were at a record high of 349, roughly 4x higher than in 2020

“It is critical that organizations continue to carefully manage administrative privilege use to protect against vulnerabilities in Microsoft’s software,“ said Russell Smith, Editorial Director, Petri IT Knowledgebase.

“I’ve always been a strong advocate for limiting access to admin rights. But despite the importance of running with standard user privileges for protecting systems and data, it is still not possible to natively manage in Windows today. Organizations need to manage privileged access on endpoints in a flexible and secure way that reduces risks to the business while allowing employees to do their work.”

“Microsoft’s move to the Common Vulnerability Scoring System (CVSS), now makes it easier for vulnerabilities to be cross-referenced with third-party applications that leverage affected services,” said Morey Haber, CSO at BeyondTrust.

“However, this is a trade-off because of the loss of visibility to determine the impact of administrative rights on critical vulnerabilities. What is clear, is the continued risk of excessive privileges. With the growing risk of privileged attack vectors caused by cloud deployments, the removal of admin rights remains a critical step to reduce an organization’s risk surface. This can be achieved by adopting a least privilege strategy and enabling zero-trust architectures throughout an environment.”

The CVSS provides a way to capture the principal characteristics of a vulnerability and produces a numerical score reflecting a vulnerability’s severity level, from 0 to 10. It’s important to consider that, when scoring vulnerabilities, organizations should not rely exclusively on the vendors’ CVSS Base Score to prioritize risk and remediation plans. End users should apply custom environment metrics to translate the risk to their own organizations. Guidance for this calculation can be found on NIST’s website.

With the consistently high volume of Microsoft vulnerabilities, ensuring endpoints are secured is more critical than ever. The removal of administrative rights is essential for mitigating many of the risks outlined in this report.