The number of critical vulnerabilities found in Microsoft products dropped for the second year in a row in 2022, according to the 10th annual analysis by BeyondTrust.
In 2022, 6.9 per cent of Microsoft’s vulnerabilities were rated as ‘critical,’ while in 2013, 44 per cent of all Microsoft vulnerabilities were classified as ‘critical, says the report released Tuesday.
However, overall the total number of vulnerabilities discovered keeps going up. Worse is that elevation of privilege vulnerabilities continues to make up the largest number of bugs, accounting for 55 per cent of the 1,292 vulnerabilities discovered last year.
This shows the need for the removal of admin rights and enforcement of least privilege to proactively mitigate vulnerabilities, the report says.
Also significant is that holes in Azure and Dynamics 365 leaped 159 per cent last year to 114, compared to 44 in 2021.
However, there are signs Microsoft is making progress in its efforts to eliminate vulnerabilities. For example, none of the 311 vulnerabilities found last year in the Edge browser were critical. There were only 36 vulnerabilities overall found in Office last year, a five-year low. Windows Server vulnerabilities rose slightly compared to 2021.
As critical vulnerabilities become scarcer, attackers may need to chain multiple, less severe exploits together to gain code execution, elevate privileges, and move around the network, the report argues.
“From a defender’s point of view, this is a good thing because it requires a higher level of attacker skill and reduces the number of possible adversaries. It also provides more potential points to detect, intercept, and mitigate a breach. If an attacker needs to chain three or more vulnerabilities together to reach their objective, then you just need to have mitigated or patched one of them to break the chain.”
However, the report adds, an attacker’s objective remains unchanged: they want to get their code to run — usually through remote code execution — and they want it to be able to run with enough privileges that they can execute their malicious intent — usually by escalating privileges.
Which is why the two biggest takeaways from the data, says the report, are that IT admins should ensure operating system and third-party software are up-to-date and there is no end-of-life software in IT environments; and they should remove excessive privileges, especially on endpoints.
Two of the biggest Office vulnerabilities found last year, says the report, were:
— the Follina exploit that led to Office vulnerability CVE-2022-30190. It leveraged the Microsoft Office protocol and MSDT, a Microsoft support tool, to allow code to run, even if macros were disabled or when the user simply opened a preview of the file. As early as 2021, researchers raised the issue of abusing Office protocols; however, it was initially dismissed as a non-issue. A patch wasn’t released until June 14;
— DogWalk (CVE-2022–34713), which also exploited the Microsoft support tool MSDT. DogWalk was first reported to Microsoft in late 2019, but Microsoft initially took a dismissive stance toward the potential impact and significance of the vulnerability, says the report. Only after reports surfaced of the DogWalk zero-day being exploited in the wild, combined with fresh news of the Follina vulnerability, did Microsoft make a U-turn, says the report, and issue a security warning in August.
The report also notes that IT admins should score servers on their application risks – not on the number of critical vulnerabilities, but on their context. For example, a server with a critical vulnerability that is exposed to the internet and has sensitive information has a higher risk than one with the same vulnerability but not open to the internet. This points to the need for a patch management strategy.
The report says IT leaders must also
— enforce the principle of users having the least privileges, including removing local admin rights;
— follow Microsoft’s security hardening protocols;
— secure remote access pathways, by, for example, ensuring Microsoft Remote Desktop Protocol is not exposed to the internet;
— and stay vigilant about emerging threats.