In 2020 number of vulnerabilities in Microsoft products exceeded 1,000 for the first time
Microsoft products are used by billions of people worldwide. Historically, however, they are known to have many vulnerabilities that pose security risks to users of the software.
According to data presented by the Atlas VPN team, the total number of vulnerabilities in Microsoft products reached 1,268 in 2020 — an increase of 181% in five years.
Windows was the most vulnerability-ridden Microsoft product. It had a total of 907 issues, of which 132 were critical.
The figures are based on Microsoft Vulnerabilities Report 2021 by BeyondTrust. The report examines vulnerability data published by Microsoft in security bulletins in the past year.
The findings show that the number of vulnerabilities in Microsoft products has been steadily rising every year. The most significant year-over-year increase occurred from 2016 to 2017, when Microsoft vulnerabilities jumped by 52% from 451 to 685.
The following year, on the other hand, saw the smallest rise in new vulnerabilities in five years. They climbed by 2% to a total of 701 in 2018. From 2018 to 2019, the number of Microsoft vulnerabilities rose by 22% to 858, while in 2020 it hit 1,268 — a 48% increase over 2019.
While Windows, includingWindows 7, Windows RT, Windows 8/8.1, and Windows 10, had the most vulnerabilities overall (907) of any Microsoft product, Windows Server had the largest number of critical issues. In 2020, 902 vulnerabilities were detected in Windows Server, of which 138 were critical.
Issues were also found in other Microsoft products, such as Microsoft Edge and Internet Explorer 8, 9, 10, and 11. Together, these browsers had 92 vulnerabilities in 2020. In total, 61 or even 66% of these vulnerabilities were of critical level.
Meanwhile, Microsoft Office, including Excel, Word, PowerPoint, Visio, Publisher, and other Office products, had 79 vulnerabilities, 5 of which were critical.
Elevation of privilege is the most common Microsoft vulnerability
A wide range of vulnerabilities was discovered in various Microsoft products last year. However, some types of vulnerabilities were more common than others.
Elevation of privilege was the most frequently detected issue in Microsoft products. It was discovered 559 times and made up 44% of all Microsoft vulnerabilities in 2020.
Such vulnerabilities allow malicious actors to gain higher-level permissions on a system or network. The attacker can then use these privileges to steal confidential data, run administrative commands, or install malware.
Next up is remote code execution. By 2020, this was the most frequently detected Microsoft vulnerability. However, last year, 345 such vulnerabilities were found, bringing it to second place on the list. Remote code execution accounted for 27% of the total number of Microsoft vulnerabilities in 2020.
Remote code execution vulnerabilities, as the name suggests, allow malicious actors to execute any code of their choice on a victim’s device via LAN, WAN or the internet. In this way, attackers can take complete control of the device system or steal the victim's data.
Information disclosure occupies the third spot on the list. In 2020, 179 such issues were detected. Together, they made up 14% of all vulnerabilities that year.
Information disclosure occurs when a web application unintentionally reveals sensitive information to unauthorized parties. Hackers can use this information to craft an attack.
Other kinds of issues discovered in Microsoft products in 2020 include spoofing (104), denial of service (46), security feature bypass (30), and tapering (7).
Cybersecurity Researcher and Publisher at Atlas VPN. Interested in cybercrime, online security, and privacy-related topics.