fbpx
Techitup Middle East
B2B TechnologyCybersecurity

BeyondTrust Releases 2024 Annual Microsoft Vulnerabilities Report

The Microsoft Vulnerabilities Report finds vulnerability numbers remain high with elevation of privilege remaining the #1 vulnerability category  

BeyondTrust, has announced the release of the 2024 Microsoft Vulnerabilities Report, produced annually by BeyondTrust. This report analyzes data from security bulletins publicly issued by Microsoft throughout the previous year and provides valuable information to help organizations understand, identify, and address the risks within their Microsoft ecosystems.  

Each Microsoft Security Bulletin is comprised of one or more vulnerabilities, which apply to one or more Microsoft products. Microsoft typically groups vulnerabilities into these main categories: Remote Code Execution (RCE), Elevation of Privilege (EoP), Information Disclosure, Denial of Service (DDoS), Spoofing, Tampering, and Security Feature Bypass.  

Comprehensive report breaks down CVEs and key shifts in vulnerability trends 

This year’s edition of the report also assesses how vulnerabilities are being leveraged in identity-based attacks, spotlighting some of the most significant CVEs of 2023 (9.0+ CVSS severity scores). 

Microsoft-Vulnerabilities-Report
Microsoft-Vulnerabilities-Report

Highlights and key findings  

Total and critical vulnerabilities demonstrated some of the most consistent data, year over year, since this report’s debut, a strong indicator that overall long-term security efforts are paying off. This may also reflect that attackers are increasingly re-focusing their efforts on exploiting identities, rather than Microsoft software vulnerabilities.  

  • After hitting an all-time high in 2022, total vulnerabilities continue their 4-year holding pattern near their highest-ever numbers in 2023, remaining between 1,200 and 1,300 (since 2020).    
  • Elevation of Privilege vulnerability category continues to dominate, accounting for 40% (490) of the total vulnerabilities in 2023. 
  • Denial of Service vulnerabilities climbed 51% to hit a record high of 109 in 2023, with Spoofing demonstrating a dramatic 190% increase, from 31 to 90. 
  • The total number of critical vulnerabilities continues its downward trend, but slows its descent, dropping by 6% to 84 in 2023 (5 less than in 2022). 
  • After Microsoft Azure & Dynamics 365 vulnerabilities skyrocketed in 2022, they almost halved in 2023 – down from 114 to 63. 
  • Microsoft Edge experienced 249 vulnerabilities in 2023, only one of which was critical.  
  • There were 522 Windows vulnerabilities in 2023, 55 of which were critical.  
  • Microsoft Office experienced 62 vulnerabilities in 2023.  
  • Windows Server category had 558 vulnerabilities in 2023, 57 of which were critical.  

Detailed analysis predicts the future of Microsoft vulnerabilities 

Despite overall stability in the Microsoft vulnerabilities data, the report’s analysis of critical vulnerabilities and innovative threat tactics predict now is not the time to get complacent: 

  • Vulnerabilities and unpatched systems will continue to provide threat actors a means of attack.  
  • Expanding Microsoft technologies will continue to introduce new attack surfaces.  
  • Novel vulnerabilities will continue to emerge as threat actors uncover innovative pathways through Microsoft’s systems.  
  • Investments in research and security practices will continue to shift the way threat actors gain their foothold, as it becomes easier to steal an identity to gain access than to exploit a vulnerability. 

Despite predicting an increase in the volume and sophistication of identity-based attacks, this year’s report shows once again that long-standing, foundational security principles like least privilege will continue to offer the best line of defense—even against modern threats—and that the organizations who successfully pair preventative security controls with threat detection and response will continue to be much better poised to withstand tomorrow’s threats.  

The 2024 Microsoft Vulnerabilities Report can be found here.

Related posts

Organizations Unprepared for the Adoption of Artificial Intelligence

Editor

Kodak Alaris Wins BLI 2024 Pick Award from Keypoint Intelligence

Editor

Securing Modern Workforce: SentinelOne and Netskope

Editor

Leave a Comment