The prevalence of Microsoft vulnerabilities in 2023 has somewhat stabilized, with elevation of privilege and identity attacks being particularly prominent, as per the yearly Microsoft Vulnerabilities report by BeyondTrust.
BeyondTrust, a firm that provides identity and access management solutions, analyzed the most notable CVEs of 2023 and Microsoft vulnerability data sourced from the periodic Patch Tuesday bulletins by Microsoft. The report details vulnerability patterns and offers guidance on minimizing the risk of identity attacks.
Over the past four years, the cumulative number of Microsoft vulnerabilities has largely remained unchanged, with a marginal decrease (5%) in 2023, from 1,292 down to 1,228 reported vulnerabilities.
David Morimanno, the Director of Identity and Access Management Technologies at Integral Partners, conveyed to BeyondTrust that, the immediate patching of known vulnerabilities by Microsoft may be balancing out the identification of new ones by shortening the window for attackers to take advantage of vulnerabilities. Additionally, with the maturing of the MS codebase, the rate of introduction of new vulnerabilities could potentially be slower.
The rate of critical Microsoft vulnerabilities (i.e., those with a score of 9.0 or higher on NIST’s Common Vulnerability Scoring System) has slowed. There were 84 Microsoft critical vulnerabilities in 2023, compared to 89 in 2022 and a five-year high of 196 in 2020.
Microsoft has its own severity rating system distinct from NIST, which will produce slightly different numbers. For example, 33 Microsoft vulnerabilities from 2023 were classified as critical in NIST’s scoring system, but Microsoft itself classified 84 vulnerabilities in 2023 as critical. Microsoft’s classification system still reflects the overall trend of a slight decrease in vulnerabilities year-over-year, showing a decrease in severe vulnerabilities by 6%.
BeyondTrust noted that not all recorded Microsoft vulnerabilities pose significant risk; some are mostly theoretical or would have minimal impact even if they were exploited. However, some would be severely damaging to an organization if exploited, and these are the ones Microsoft tends to classify as critical — whether or not a threat actor has actively exploited the vulnerability.
The most common types of vulnerabilities in 2023 were:
It is reported that the most critical vulnerabilities were primarily found in Windows Desktop and Server categories. Considering these categories share the same codebase, this coincidence is not necessarily surprising.
The most prevalent vulnerability identified was the elevation of privilege, with 490 instances detected in 2023. However, this represents a considerable decline from the 715 instances recorded in 2022. Azure and Windows Server, in particular, experienced a significant reduction in the number of elevation of privilege vulnerabilities.
It is noteworthy that Microsoft has recently announced general access to Security Copilot, a generative AI enhancement for its security product suite. (TechRepublic)
While remote code execution vulnerabilities saw a decline in Azure, Office, and Windows, these vulnerabilities surfaced more prominent in Windows Server.
Information on the specific vulnerabilities discovered in various Microsoft products and their occurrence timeline are available in this comprehensive report.
The report noted, “With the overall number of Microsoft vulnerabilities reaching a stable figure and critical vulnerabilities witnessing a decline, it is evident that attackers — akin to water — are seeking the path of least resistance, focusing primarily on identities.’
Microsoft was the victim of the Midnight Blizzard attack, a state-sponsored breach that possibly affected U.S. federal agencies as a result of identity-based infiltration made possible by password spraying.
In the report by BeyondTrust, Jay Beale, CEO and CTO of IT consulting firm InGuardians, Inc., quoted the popular saying, ‘Attackers don’t break in — they log in,’ in reference to the Midnight Blizzard event.
Acquiring legitimate login details is all it takes for an attacker to carry out identity-based infiltration. The detection of identity threats can be challenging since they may arise unexpectedly and in various forms.
The report suggests defenders to adopt a more comprehensive approach towards privileges, identity hygiene, and identity threat detection to spot more such infiltration attacks.
Paula Januszkiewicz, the CEO of CQURE, spoke to BeyondTrust, stressing on the need to foster a culture of awareness and education among all the users. According to her, unlike hacking which is usually a solo task, cybersecurity requires a joint effort. This view, reiterated in the report, emphasizes the significance of focusing on the human aspect in cybersecurity strategies.
The reasons why risks to Microsoft products may be progressively diminishing were enumerated by BeyondTrust. Refresh cycles continue, gradually eliminating old, potentially unsupported codes that could be up to 20 years old. Particularly, products developed prior to the implementation of the Security Development Lifecycle by Microsoft in 2004 are being phased out completely. The protracted security initiatives of Microsoft might be bearing fruit. Cloud technologies have evolved and can be secured more efficiently now.
Some of the success in decreasing vulnerabilities is attributed to Microsoft’s increased collaboration with its security research community by BeyondTrust. The security research community, in particular, detected many of the remote code execution vulnerabilities found in Windows Server in 2023.
Edge saw a decrease in instances of critical vulnerabilities as a result of using a Chromium code base instead of a custom Microsoft codebase and the removal of support for Internet Explorer.
Many ways attackers can exploit phishing and malware payloads using Office applications have been locked down by Microsoft. However, the exploitation of some vulnerabilities was enabled through 3D models by the addition of support for SketchUp Software’s proprietary SKP files in June 2022.
Better inform your company about Microsoft by reading these Windows and Office tips, tricks, and cheat sheets. This resource is available on Mondays and Wednesdays.
Be your company’s Microsoft insider by reading these Windows and Office tips, tricks, and cheat sheets. Delivered Mondays and Wednesdays
BeyondTrust Report: Microsoft Security Vulnerabilities Decreased by 5% in 2023
Your email has been sent
Hudson Valley Host is premier provider of cutting-edge hosting solutions, specializing in delivering a seamless online experience for businesses and individuals. We offer a comprehensive range of hosting services, including Shared Hosting, VPS, Dedicated Servers, and Colocation. With 24/7 technical support, robust security measures, and user-friendly control panels, we empower clients in managing their online presence effortlessly. Hudson Valley Host is your trusted partner in achieving online success.
For Inquiries or to receive a personalized quote, please reach out to us through our contact form here or email us at sales@hudsonvalleyhost.com.
