SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Elevation of Privilege the top 2021 Microsoft vulnerability
Thu, 26th May 2022
FYI, this story is more than a year old

BeyondTrust has released its 2022 Microsoft Vulnerabilities Report, finding that Elevation of Privilege is the top vulnerability category for the second consecutive year.

BeyondTrust produces The Microsoft Vulnerabilities Report annually, and it is now in its ninth edition.

The report analyses data from security bulletins publicly issued by Microsoft throughout the previous year.

The 2022 Microsoft Vulnerabilities Report includes the latest annual breakdown of Microsoft vulnerabilities by category and product, as well as a six-year trend analysis, providing a holistic understanding of the evolving threat landscape.

The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produces a numerical score reflecting a vulnerability's severity level, from 0 to 10.

Elevation of Privilege accounted for 49% of all vulnerabilities in 2021, with BeyondTrust's report also finding that 35 out of the 326 remote code execution vulnerabilities reported in 2021 had a CVSS score of 9.0 or higher.

However, 2021 saw critical Microsoft vulnerabilities decrease by a total of 47%, the lowest since the report began.

“Microsoft's move to the Common Vulnerability Scoring System now makes it easier for vulnerabilities to be cross-referenced with third-party applications that leverage affected services,” BeyondTrust chief security officer Morey Haber says.

“However, this is a trade-off because of the loss of visibility to determine the impact of administrative rights on critical vulnerabilities.

“What is clear is the continued risk of excessive privileges.

“With the growing risk of privileged attack vectors caused by cloud deployments, the removal of admin rights remains a critical step to reduce an organisation's risk surface.

“This can be achieved by adopting a least privilege strategy and enabling zero-trust architectures throughout an environment.

Microsoft groups vulnerabilities that apply to one or more of its products into the following main categories:

  • Remote Code Execution
  • Elevation of Privilege
  • Security Feature Bypass
  • Tampering
  • Information Disclosure
  • Denial of Service
  • Spoofing

BeyondTrust says this year's findings will help organisations better understand and address risks within the Microsoft ecosystem.

The company adds that most of the high-impact vulnerabilities detailed in the report emphasise the risks of on-premises technology.

It says this indicates that migrating to the cloud can make an organisation's security more robust.

In addition, 2021 vulnerabilities in IE and Edge were at a record high of 349, approximately four times higher than 2020.

“It is critical that organisations continue to carefully manage administrative privilege use to protect against vulnerabilities in Microsoft's software,” Petri IT Knowledgebase editorial director Russell Smith says.

“I've always been a strong advocate for limiting access to admin rights. But despite the importance of running with standard user privileges for protecting systems and data, it is still not possible to natively manage in Windows today.

“Organisations need to manage privileged access on endpoints in a flexible and secure way that reduces risks to the business while allowing employees to do their work.