While elevated privilege attacks remain a critical security concern when using Microsoft products, a new report says that the raw number of vulnerabilities is dropping. Credit: Martyn Williams/IDG The total number of Microsoft vulnerabilities reported in 2021 dropped by 5%, reversing a five-year trend that saw such vulnerabilities rising sharply, according to a new report from identity management and security vendor BeyondTrust.A total of 1,212 new vulnerabilities were discovered in 2021, but their severity, as well as their location in the Microsoft family of software products, has changed substantially year over year. Vulnerabilities rated as “critical” on the CVSS standard dropped by 47% in the past year, reaching their lowest levels since BeyondTrust began issuing this report, nine years ago.Vulnerabilities on Windows, Windows Server dropWindows and Windows Server both saw sharp drops in total vulnerabilities detected, by 40% and 50%, respectively, while vulnerabilities affecting Microsoft’s Edge and Internet Explorer browsers hit a record high. Assisting in the latest analysis is Microsoft’s move to NIST’s common vulnerability scoring system, which lets researchers cross-reference security flaws more directly with bugs in the outside ecosystem. The most common type of vulnerability seen in 2021 involved privilege elevation, where an attacker gains admin rights to a system through illicit means. A total of 588 such vulnerabilities were discovered in 2021. BeyondTrust’s researchers credit a more widespread adherence to good security practices for this rise — perversely, a general decrease in users with unnecessary admin privileges helped focus bad actors’ efforts on attempts to gain elevated privileges in different ways.Attackers innovate to gain admin rights“Without easy access to users with local admin rights, attackers have started to innovate to gain elevated privileges that can then be used to compromise systems, steal credentials, and move laterally,” the report said. The second-most common type of vulnerability centered on remote code execution, which is particularly dangerous since attacks targeting such flaws can be conducted remotely, with little or no user interaction required. A total of 326 of these vulnerabilities were found in 2021, 35 of which rated a 9.0 or higher on the CVSS scale.“With this type of risk, a workable exploit is not a matter of ‘does an exploit exist,’ but rather ‘when will it be publicly available,'” said the BeyondTrust report.The report also broke out vulnerabilities in key Microsoft products, including Azure, Windows and Microsoft Office. The latter saw just one critical vulnerability, compared to a total of 66 found in 2021, while the same numbers for Azure and Dynamics 365 were seven and 44, respectively.BeyondTrust’s researchers praised Microsoft’s consistent efforts to keep Azure safe, and lauded a “steady decline” in Office vulnerabilities. Similarly, the Windows operating system itself saw a 40% drop in total vulnerabilities in 2021 compared to the previous year, with a 50% drop in critical security flaws. Related content news UnitedHealth hackers exploited Citrix vulnerabilities, CEO to testify In the written testimony before the House Energy and Commerce Committee, CEO Andrew Witty said after gaining access, the threat actor moved laterally within the systems using sophisticated methods and exfiltrated data. By Prasanth Aby Thomas Apr 30, 2024 3 mins Hacker Groups Cyberattacks Vulnerabilities news Most attacks affecting SMBs target five older vulnerabilities Attackers target flaws for a reason: Even years after they are discovered, they still work. By John Dunn Apr 30, 2024 4 mins Threat and Vulnerability Management Network Security Vulnerabilities opinion Close the barn door now! Avoid the risk of not monitoring retained access before it’s a problem There’s usually a strict protocol for granting access to systems or data to a new employee or contractor. But there are perils in not keeping tabs on that access as that person moves around or leaves. By Christopher Burgess Apr 30, 2024 6 mins CSO and CISO Access Control Human Resources feature Cyber breach misinformation creates a haze of uncertainty A string of recent false or misleading cyber breach reports, fueled by rampant online dissemination, is fostering an atmosphere of growing misinformation that makes it difficult to separate fact from fiction. By Cynthia Brumfield Apr 30, 2024 9 mins CSO and CISO Data Breach Security Practices PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe