The number of Microsoft vulnerabilities has mostly flattened in 2023, with elevation of privilege and identity attacks being particularly common, according to BeyondTrust’s annual Microsoft Vulnerabilities report.
Identity and access management solutions company BeyondTrust studied the most significant CVEs of 2023 and Microsoft vulnerability data from Microsoft’s monthly Patch Tuesday bulletins. The report includes vulnerability trends and tips about how to reduce identity attacks.
The total number of Microsoft vulnerabilities has remained mostly steady for the past four years, with a slight (5%) dip in 2023 from 1,292 to 1,228 reported vulnerabilities.
“Microsoft’s efforts to promptly patch known vulnerabilities may be offsetting the discovery of new ones by reducing the window of opportunity for attackers to exploit vulnerabilities,” David Morimanno, director of identity and access management technologies, Integral Partners, told BeyondTrust. “Also, as the MS codebase matures, new vulnerabilities might be getting introduced at a slower rate.”
The critical vulnerabilities within Microsoft, denoted by a score of 9.0 or higher on the NIST’s Common Vulnerability Scoring System, appear to be decreasing. In 2023, there were 84 such vulnerabilities compared to 89 in 2022, and a significant 196 in 2020.
It’s worth mentioning that Microsoft’s own severity rating system may generate different figures compared to NIST. For the year 2023, whereas NIST classified 33 vulnerabilities as critical, Microsoft marked a total of 84 such vulnerabilities. Notwithstanding the difference in numbers, Microsoft’s classification also indicates a downward trend in vulnerabilities year-over-year, registering a reduction by 6% in severe vulnerabilities.
While all recorded vulnerabilities in Microsoft deserve attention, not every one of them poses a considerable risk. Some exist merely in theory or would have minor impact even if exploited. However, there are those which could inflict severe damage on an organization if exploited, and Microsoft usually labels these as critical, irrespective of whether they have been taken advantage of by a threat actor or not.
Looking at the data for 2023, the following stood out as the most common types of vulnerabilities:
Among the critical vulnerabilities, most were discovered within the Windows Desktop and Server categories. Since these two categories share the same codebase, their incidence numbers being alike isn’t much of a surprise.
Even though elevation of privilege ended up being the most frequent vulnerability, with 490 instances noted in 2023, this marked a significant drop from the 715 instances recorded in 2022. Azure and Windows Server, in particular, displayed a significant reduction in elevation of privilege vulnerabilities.
BE AWARE: Microsoft recently granted public access to Security Copilot, their generative AI addition to their security products roster. (TechRepublic)
There was a decrease in the occurrence of remote code execution vulnerabilities in Azure, Office, and Windows. However, there was an observed increase in these vulnerabilities within Windows Server.
For specifics about which Microsoft products and when experienced particular vulnerabilities, refer to
“Despite the stabilization of overall vulnerabilities in Microsoft and a decrease in critical vulnerabilities, it’s been observed that attackers, similar to water, follow the path of least resistance and focus more heavily on identities,” stated the report.
Microsoft was a victim of the Midnight Blizzard attack, a state-endorsed breach that
may have affected U.S. federal agencies due to identity-based infiltration caused by
According to Jay Beale, CEO and CTO of IT consulting firm InGuardians, Inc., who spoke with BeyondTrust for the report, “Midnight Blizzard is yet another example of the well-known saying, ‘Attackers don’t break in – they log in.'”
It’s surprisingly easy for attackers to infiltrate systems through identity-based methods; they simply need to obtain valid login details. This type of risk can emerge unpredictably and can appear in a multitude of forms:
The report suggests that to prevent a greater number of identity-based infiltration attacks, defenders should adopt a more comprehensive approach. This approach should include consideration of privileges as well as improved awareness and detection of identity threats.
During a conversation with BeyondTrust, Paula Januszkiewicz, the CEO of CQURE, stressed the vital role that awareness and education play among users. Comparing cybersecurity to hacking, which is usually a lone wolf activity, she argued that the former inherently requires collective effort. She strongly believes, like the report also mentions, that a human-focused strategy is key for cybersecurity.
There are several possible explanations for why the risks associated with Microsoft products are gradually declining, according to BeyondTrust. Continual updates mean that outdated and potentially insecure code — some possibly dating as far back as 20 years — is being phased out. Particularly, products created prior to Microsoft’s initiation of the Security Development Lifecycle in 2004 are being fully retired. It seems that Microsoft’s long-term security strategies are beginning to bear fruit. Simultaneously, cloud technologies are becoming more sophisticated and can now be secured more effectively.
BeyondTrust attributed some of the success in decreasing vulnerabilities to Microsoft’s increased collaboration with its security research community. In particular, the security research community detected many of the remote code execution vulnerabilities found in Windows Server in 2023.
Using a Chromium code base for Edge instead of a custom Microsoft codebase and removing support for Internet Explorer may have both reduced instances of critical vulnerabilities in Edge.
Microsoft has locked down many ways attackers can exploit phishing and malware payloads using Office applications. However, the addition of support for SketchUp Software’s proprietary SKP files in June 2022 allowed for some vulnerabilities to be exploited through 3D models.
Be your company’s Microsoft insider by reading these Windows and Office tips, tricks, and cheat sheets. Delivered Mondays and Wednesdays.
Be your company’s Microsoft insider by reading these Windows and Office tips, tricks, and cheat sheets. Delivered Mondays and Wednesdays
BeyondTrust Report: Microsoft Security Vulnerabilities Decreased by 5% in 2023
Your email has been sent
Hudson Valley Host is premier provider of cutting-edge hosting solutions, specializing in delivering a seamless online experience for businesses and individuals. We offer a comprehensive range of hosting services, including Shared Hosting, VPS, Dedicated Servers, and Colocation. With 24/7 technical support, robust security measures, and user-friendly control panels, we empower clients in managing their online presence effortlessly. Hudson Valley Host is your trusted partner in achieving online success.
For Inquiries or to receive a personalized quote, please reach out to us through our contact form here or email us at sales@hudsonvalleyhost.com.
