BeyondTrust has announced the release of the 2024 Microsoft Vulnerabilities Report. Produced annually by BeyondTrust, this report analyses data from security bulletins publicly issued by Microsoft throughout the previous year and provides valuable information to help organisations understand, identify, and address the risks within their Microsoft ecosystems.
Each Microsoft Security Bulletin is comprised of one or more vulnerabilities, which apply to one or more Microsoft products. Microsoft typically groups vulnerabilities into these main categories: Remote Code Execution (RCE), Elevation of Privilege (EoP), Information Disclosure, Denial of Service (DDoS), Spoofing, Tampering, and Security Feature Bypass.
Comprehensive report breaks down CVEs and key shifts in vulnerability trends
This year’s edition of the report also assesses how vulnerabilities are being leveraged in identity-based attacks, spotlighting some of the most significant CVEs of 2023 (9.0+ CVSS severity scores).
Highlights and key findings
Total and critical vulnerabilities demonstrated some of the most consistent data, year over year, since this report’s debut, a strong indicator that overall long-term security efforts are paying off. This may also reflect that attackers are increasingly re-focusing their efforts on exploiting identities, rather than Microsoft software vulnerabilities.
- After hitting an all-time high in 2022, total vulnerabilities continue their 4-year holding pattern near their highest-ever numbers in 2023, remaining between 1,200 and 1,300 (since 2020).
- Elevation of Privilege vulnerability category continues to dominate, accounting for 40% (490) of the total vulnerabilities in 2023.
- Denial of Service vulnerabilities climbed 51% to hit a record high of 109 in 2023, with Spoofing demonstrating a dramatic 190% increase, from 31 to 90.
- The total number of critical vulnerabilities continues its downward trend, but slows its descent, dropping by 6% to 84 in 2023 (5 less than in 2022).
- After Microsoft Azure & Dynamics 365 vulnerabilities skyrocketed in 2022, they almost halved in 2023 – down from 114 to 63.
- Microsoft Edge experienced 249 vulnerabilities in 2023, only one of which was critical.
- There were 522 Windows vulnerabilities in 2023, 55 of which were critical.
- Microsoft Office experienced 62 vulnerabilities in 2023.
- Windows Server category had 558 vulnerabilities in 2023, 57 of which were critical.
“This report continues to highlight the need to keep improving security, not only at Microsoft, but also for all organisations who are looking to better manage cyber risks in the context of an evolving threat landscape,” said James Maude, Director of Research at BeyondTrust. “This year’s report was a prime illustration of the modern identity threat landscape. The continued domination of Elevation of Privilege as the most common category of vulnerability, and the identity crisis highlighted at the end of the report, underscore the importance of privilege and the timeless security concept of least privilege. It also emboldens BeyondTrust’s mission to provide the broadest level of visibility and protection of paths to privilege.”
Detailed analysis predicts the future of Microsoft vulnerabilities
Despite overall stability in the Microsoft vulnerabilities data, the report’s analysis of critical vulnerabilities and innovative threat tactics predict now is not the time to get complacent:
- Vulnerabilities and unpatched systems will continue to provide threat actors a means of attack.
- Expanding Microsoft technologies will continue to introduce new attack surfaces.
- Novel vulnerabilities will continue to emerge as threat actors uncover innovative pathways through Microsoft’s systems.
- Investments in research and security practices will continue to shift the way threat actors gain their foothold, as it becomes easier to steal an identity to gain access than to exploit a vulnerability.
Despite predicting an increase in the volume and sophistication of identity-based attacks, this year’s report shows once again that long-standing, foundational security principles like least privilege will continue to offer the best line of defence – even against modern threats – and that the organisations who successfully pair preventative security controls with threat detection and response will continue to be much better poised to withstand tomorrow’s threats.
You can read the full report here.