Microsoft Safety Vulnerabilities Set File Excessive in 2024: BeyondTrust

Microsoft reported a record-breaking 1,360 vulnerabilities in its merchandise final 12 months, an all-time excessive and an 11% enhance over the earlier file of 1,292 in 2022, in keeping with new report from cybersecurity agency BeyondTrust.

Microsoft Workplace vulnerabilities particularly almost doubled from 2023, reaching 62 in 2024.

On the identical time, the cybersecurity agency stories that the longer-term development exhibits the tempo of development in vulnerabilities seems to be stabilizing. “This, mixed with the continued downward development towards fewer vital vulnerabilities, suggests Microsoft’s safety initiatives and enhancements within the safety structure of recent working methods are paying off,” the authors notice.

Nevertheless, the report warns of the “complexity of securing in the present day’s huge and numerous ecosystems, the place evolving applied sciences, options, and interdependencies proceed to introduce threat.”

Different findings from the report embrace:

• Elevation of Privilege (EoP) and Distant Code Execution (RCE)—major objectives of any risk actor trying to exploit a system—proceed to dominate the vulnerability classes.
• Elevation of Privilege (EoP) vulnerabilities comprised 40% (554) of all reported vulnerabilities.
• Essential vulnerabilities throughout the Microsoft ecosystem continued to say no total in 2024.
• Safety Function Bypass vulnerabilities surged by 60%, growing from 56 in 2023 to 90 in 2024, growing the stress to scale back software program vulnerabilities on the design stage by means of safe coding and risk modeling.
• Microsoft Edge vulnerabilities elevated by 17% to 292 complete vulnerabilities, together with 9 vital vulnerabilities in 2024, in comparison with zero in 2022.
• Microsoft Azure and Dynamics 365 vulnerabilities plateaued in 2024.
• There have been 587 Home windows vulnerabilities in 2024; 33 had been vital.
• Home windows Server had 684 vulnerabilities in 2024; 43 had been vital.

The report contains insights from non-public and public sector cybersecurity specialists on how practices resembling implementing least privilege and 0 belief, prioritizing vulnerability administration, and securing distant entry pathways assist in defending a Home windows atmosphere in opposition to current and future threats.

“One of many largest causes of knowledge breaches is compromised credentials. Overprivileged person accounts are the low hanging fruit attackers are on the lookout for, and they’ll all the time take the trail of least resistance. It’s essential to safe your privileged accounts (and all pathways to them) to keep away from sneaky assault vectors and lateral motion by means of your community,” Anton Chuvakin safety advisor at Workplace of the CISO, Google Cloud, feedback within the report.

Sami Laiho, senior technical fellow, Microsoft MVP (Most Worthwhile Participant), notes that whereas Microsoft reached an all-time file for vulnerabilities, the quantity has now stayed close to the identical stage for 5 years in a row. On the identical time, Laiho says, it’s vital to know that there have been 40,000 widespread vulnerabilities and exposures reported in complete in 2024. “Whereas Microsoft is only a small portion of these, the position that Home windows performs as probably the most used desktop working system means it’s the one which often exhibits the precise ransomware notice to the person and is the ultimate end-game goal for the attacker,” he says within the report.

Laiho provides that since most identity-targeted assaults will goal the routes that individuals use for on-line providers, the rise within the variety of vulnerabilities in Edge and Workplace is of concern. “The excellent news is that proactive measures will assist you to within the activity—even when it appears nearly unimaginable,” he provides.