Record high 1,268 total Microsoft vulnerabilities discovered in 2020


BeyondTrust has released the 2021 Microsoft Vulnerabilities Report. The research includes the latest annual breakdown of Microsoft vulnerabilities by category and product, as well as a five-year trend analysis, providing a holistic understanding of the evolving threat landscape.  The data in this report provides a crucial barometer of the threat landscape for the Microsoft ecosystem.

In related news, Cyberattackers are taking full advantage of slow patch or mitigation processes of the Microsoft Exchange Server zero-day vulnerabilities that are continuing to rise.

The key findings from the report are:

  • In 2020, a record-high number of 1,268 Microsoft vulnerabilities were discovered, a 48% increase YoY
  • The number of reported vulnerabilities has risen an astonishing 181% in the last five years (2016-2020)
  • Removing admin rights from endpoints would mitigate 56% of all Critical Microsoft vulnerabilities in 2020
  • For the first time, “Elevation of Privilege” was the #1 vulnerability category, comprising 44% of the total, nearly three times more than in the previous year
  • 87% of Critical vulnerabilities in Internet Explorer and Microsoft Edge would have been mitigated by removing admin rights
  • 70% of Critical vulnerabilities affecting Windows 7, Windows RT, 8/8.1 and 10 would have been mitigated by removing admin rights
  • 80% of Critical vulnerabilities in all Office products (Excel, Word, PowerPoint, Visio, Publisher, and others) would have been mitigated by removing admin rights
  • 66% of Critical vulnerabilities affecting Windows Servers would have been mitigated by removing admin rights

Morey Haber, CTO & CISO at BeyondTrust noted:  “In terms of the huge increase of vulnerabilities (48% YoY), the reason poses a very perplexing question and one that I cannot answer. For a similar timeframe last year, Microsoft was still supporting Windows 7 and Windows 2008 R2 (EOL January 2020). Microsoft had more GA (Generally Available) desktop and server products on the market than today. So why with less available products are there more vulnerabilities? Is it because threat actors are getting more sophisticated in their attacks, is Microsoft code becoming less secure as they adopt rapid agile releases, or is the bloat in sophistication and features just leading to more vulnerabilities? Realistically, it is probably a combination of all three, but it is counter-intuitive to think if you have less products to support then you should have fewer vulnerabilities. That is clearly not the case for 2020 and as we know now, 2020 will go down in history for a variety of events.”