BeyondTrust: Microsoft Vulnerabilities Near Highest-Ever Numbers in 2023
Cybercriminals remain focused on compromising identities.
![Microsoft vulnerabilities Microsoft vulnerabilities](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt57d3cd1962082bb7/652450749cf134adba8299e5/Security-Vulnerability.jpg?width=700&auto=webp&quality=80&disable=upscale)
ra2 studio/Shutterstock
Among key findings in the Microsoft vulnerabilities report:
Total vulnerabilities have remained between 1,200 and 1,300 annually since 2020.
The elevation of privilege vulnerability category continues to dominate, accounting for 40% (490) of the total vulnerabilities in 2023.
Denial-of-service vulnerabilities climbed 51% to hit a record high of 109 in 2023, with spoofing demonstrating a dramatic 190% increase, from 31 to 90.
The total number of critical vulnerabilities continued its downward trend, but slowed its descent, dropping by 6% to 84 in 2023 (five less than in 2022).
After Microsoft Azure and Dynamics 365 vulnerabilities skyrocketed in 2022, they almost halved in 2023, down from 114 to 63.
Microsoft Edge experienced 249 vulnerabilities in 2023, only one of which was critical.
There were 522 Windows vulnerabilities in 2023, 55 of which were critical.
Microsoft Office experienced 62 vulnerabilities in 2023.
The Windows Server category had 558 vulnerabilities in 2023, 57 of which were critical.
As Microsoft moves increasingly to the cloud, attackers are focusing on identities, and exploiting the privileges and access that an identity has to access the data and systems they are targeting, said BeyondTrust’s James Maude.
“This is because not only are we seeing fewer vulnerabilities to target, but also because it is simply easier to compromise an identity and log in to achieve their objectives,” he said.
The long-term historic trend shows that great improvements have been made in the past 10 years, “but we are now seeing diminishing gains,” in part due to the long tail of systems and software Microsoft is having to support, which might carry historic bugs that have yet to be discovered, Maude said.
“This report also highlights that the vulnerabilities are all historic; for example, the recent addition of support for a new 3-D file format led to researchers discovering 117 unique vulnerabilities,” he said. “So while the historic trend is positive, we need to see some consistency in the way code is securely developed so we can have confidence in deploying the latest features.”
Despite overall stability in the Microsoft vulnerabilities data, the report’s analysis of critical vulnerabilities and innovative threat tactics predict now is not the time to get complacent, Maude said.
Looking ahead:
Vulnerabilities and unpatched systems will continue to provide threat actors a means of attack.
Expanding Microsoft technologies will continue to introduce new attack surfaces.
Novel vulnerabilities will continue to emerge as threat actors uncover innovative pathways through Microsoft’s systems.
Investments in research and security practices will continue to shift the way threat actors gain their foothold as it becomes easier to steal an identity to gain access than to exploit a vulnerability.
This year’s report is a “prime illustration” of the modern identity threat landscape, Maude said.
“The continued domination of elevation of privilege as the most common category of vulnerability, and the identity crisis highlighted at the end of the report, underscore the importance of privilege and the timeless security concept of least privilege, ” he said.
“I think we will continue to see Microsoft wrestle with a long tail of security debt, some of which may have been buried deep in obscure OS features for 10, 15 or even 20 years while trying to move forward and re-architect towards a more secure future,” Maude said. “We will also see the heat turned up on securing identities and more focus on securing identities by default rather than relying on organizations to individually secure identities and accounts.”
“I think we will continue to see Microsoft wrestle with a long tail of security debt, some of which may have been buried deep in obscure OS features for 10, 15 or even 20 years while trying to move forward and re-architect towards a more secure future,” Maude said. “We will also see the heat turned up on securing identities and more focus on securing identities by default rather than relying on organizations to individually secure identities and accounts.”
BeyondTrust’s latest annual Microsoft vulnerabilities report shows total vulnerabilities continued their four-year holding pattern near their highest-ever numbers in 2023.
The BeyondTrust report analyzes data from security bulletins publicly issued by Microsoft throughout the previous year. The Microsoft vulnerabilities report provides information to help organizations understand, identify and address the risks within their Microsoft ecosystems.
Each Microsoft Security Bulletin includes one or more vulnerabilities, which apply to one or more Microsoft products.
Microsoft declined to comment on the report.
Categories of Microsoft Vulnerabilities
Microsoft typically groups vulnerabilities into these main categories:
Remote code execution (RCE).
Elevation of privilege (EoP).
Information disclosure.
Denial of service.
Spoofing.
Tampering.
Security feature bypass.
James Maude, director of research at BeyondTrust, said despite decades of focus and investment in improving security, “we are still finding vulnerabilities like CVE-2023-23397.” That’s a vulnerability in the Windows Microsoft Outlook client that malicious hackers can exploit by sending a specially crafted email that triggers automatically when it is processed by the Outlook client. Microsoft issued a patch for this vulnerability last month.
![BeyondTrust's James Maude BeyondTrust's James Maude](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt941939c2dde8c2c0/6626d4ed76af8b092a48e08d/Maude_James_BeyondTrust_2024.jpg?width=700&auto=webp&quality=80&disable=upscale)
BeyondTrust's James Maude
“This [vulnerability] has lain dormant until someone noticed that a feature designed to play a custom notification sound when an email arrived could also be used to make an SMB connection and leak NTLM hashes externally,” he said.
Scroll through our slideshow above for more from BeyondTrust’s Microsoft vulnerabilities report.
About the Author(s)
You May Also Like