Hackers often focus on flaws in Microsoft products since they are commonly employed in various institutions and personal computers, which means they have a bigger area to attack.
This is because these systems could be used as an entry point into sensitive information, letting attackers take over or spread malicious software and malware without permission.
Cybersecurity researchers at BeyondTrust recently detected over 1200 vulnerabilities in Microsoft products in 2023.
Technical Analysis
In 2023 alone, the company still had to address 522 problems with Windows (55 of them critical), 249 with Edge, 92 with Office, and 558 with Windows Server (57 of them critical) — although those numbers were down from their heights in 2022.
However, there was also an alarming surge in new types of vulnerabilities, and the Denial of Service flaws grew by more than half to 109.
Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training -> Try Free Demo
Spoofing vulnerabilities skyrocketed by nearly four times from 31 to 90, pointing to new attack vectors even as overall vulnerability disclosures dropped.
Totals remained flat for four years following Microsoft’s vulnerability peak in 2020, fluctuating within 7% of one another before settling at 1228 in 2023; it’s a 5% decrease from the record high of 1292 set in 2022, according to the report.
This flat was brought about by retiring the legacy products predating Microsoft’s Security Development Lifecycle, which were replaced with newer, more secure offerings.
Though not as significant as previous years’ declines, the continued fall is still good news for IT professionals encouraged by this trend.
The likelihood of successful exploitation varies greatly depending on how widely known and understood any given flaw may be among potential attackers.
So, the overall counts only indicate environmental robustness rather than reflecting entire risk landscapes.
While the National Vulnerability Database marked 33 Microsoft flaws in 2023 as critical (9.0+ score), a 50% increase from 2022, Microsoft classified 84 as critical, down 6%.
Elevation of Privilege remained the top vulnerability category despite a 31% drop to 490, followed by Remote Code Execution’s 13% rise to 356, partly offset by Azure, Office, and Windows declines.
The RCE increase in Windows Server resulted from Microsoft’s collaboration with security researchers, disclosing and patching flaws before public exploitation.
Browser and document viewer vulnerabilities declined as Edge adopted Chromium’s matured security, and dropping Internet Explorer eliminated drive-by downloads and Flash exploits.
Critical Edge vulnerabilities dived from 162 in 2017 to just 1 in 2023, presenting Chromium’s hardened security benefits.
While up in 2023, Office vulnerability totals show a long-term downward trend as older versions reach End-of-Life, forcing attackers to innovate past mitigations like disabling auto-run macros.
However, adding SketchUp 3D file support introduced 117 new vulnerabilities that bypassed initial patches, temporarily disabling the feature.
Mitigations
Here below we have mentioned all the mitigations offered by the cybersecurity researchers:-
- Enforce the least privilege by removing local admin rights
- Follow security hardening protocols7 such as patching
- Secure remote access pathways
- Tailor vulnerability management to your own environment
- Stay vigilant to emerging threats
- Implement identity threat detection and response (ITDR)
Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide
