While the total number of recorded Microsoft vulnerabilities was higher in 2022 than ever before, the number of critical vulnerabilities declined to its lowest point, according to the latest Microsoft Vulnerability Report by BeyondTrust.
In 2022, only 6.9% of Microsoft’s vulnerabilities were rated as critical — less than half the number of critical vulnerabilities recorded in 2020. In 2013, 44% of all Microsoft vulnerabilities were classified as critical.
Vulnerabilities categorised as critical are those with characteristics that make their exploitation a potentially high-impact security event.
“This trend indicates that, while overall vulnerabilities have increased in number, the risks and worst-case scenarios associated with these individual vulnerabilities have decreased from previous years,” BeyondTrust said.
It also shows that while the overall Microsoft attack surface is expanding along with the expansion of Microsoft’s business, the organisation is doing a better job at minimising the most dangerous types of development errors.
Attackers may chain multiple, less severe attacks
As critical vulnerabilities decline, attackers may need to chain less severe exploits together to achieve code execution, elevate their system privileges, and move around victim networks, BeyondTrust said in the 10th edition of its report.
The chaining technique, however, provides security teams with more potential points through which they can detect, intercept, and mitigate a breach.
“If an attacker needs to chain three or more vulnerabilities together to reach their objective, then you just need to have mitigated or patched one of them to break the chain,” BeyondTrust said.
Successful exploits against Microsoft systems will also require a higher level of attacker skill, which could reduce the number of possible adversaries.
In 2022, Microsoft identified 715 elevation-of-privilege vulnerabilities, a 22% increase over 2021, and a 689% increase from 2017. It's a crucial data point: The objective of an attacker is to get their code to run, and they want it to be able to run with enough privileges to allow a successful attack.
“To achieve this objective, attackers need to have remote code execution, the ability to launch their code on a target system, and elevation of privilege to make sure this code runs with enough privilege,” BeyondTrust said.
Office vulnerabilities decline
The Microsoft Office products category experienced a 45% drop in vulnerabilities in 2022, though critical vulnerabilities in the software suite increased from a low of one in 2021 to two instances in 2022.
“While there is an overarching downward trend in the number of Microsoft Office vulnerabilities, Office applications have remained a successful target for threat actors. This is largely due to the lag times between discovery and patching,” BeyondTrust said.
The downward trend in vulnerability can also be attributed to Microsoft’s efforts to cut off common attack vectors, such as VBA macros in documents, that have been delivered from the internet. This is a common attack vector, but previous mitigation attempts have merely been soft blocks that are easily circumvented by socially engineering the end user into enabling macros. In 2022, Microsoft blocked internet macros by default in Office applications.
ChatGPT could bring new vulnerabilities
Microsoft has been investing heavily in ChatGPT developer OpenAI since 2019 and has plans to integrate AI into several of its products. ChatGPT is already being incorporated into the Microsoft search engine, Bing, with the hope of finally making it a stronger search competitor to Google.
However, the extensive use of AI could introduce new kinds of vulnerabilities as well, BeyondTrust warns. “AI learns from often vast data sets and fundamentally expands the entities that can be used to exploit a system,” BeyondTrust said.
Al systems can be vulnerable to manipulation and exploitation by malicious actors, who could use Al to carry out cyberattacks or gain unauthorised access to sensitive information.
“As the technology landscape continues its next phase of evolution, vulnerability numbers should continue to climb, new threats will continue to crawl out from the cyber-ether,” BeyondTrust said.