The number of privilege escalation bugs in Microsoft's products increased for the second year in a row in 2021, highlighting the growing risk this vulnerability category poses for organizations.
BeyondTrust recently analyzed data from Microsoft vulnerability disclosures in 2021 and found that 588 — or 49% — of the total 1,212 bugs that the company disclosed gave attackers a way to elevate privileges on compromised systems and networks. The number represented a 5% increase from the 559 privilege escalation bugs in Microsoft products that BeyondTrust counted in 2020, when such bugs also eclipsed all other categories of vulns in the company's technologies.
The trend is important because organizations sometimes tend to pay less attention to privilege escalation vulnerabilities than other bugs because often, they can only be exploited after an attacker has already compromised a system. "Elevation of privilege bugs do not get the same attention from organizations" as some other vulnerabilities, says Tim McGuffin, director of adversarial engineering at LARES Consulting. Most organizations focus on preventing initial compromise, which can come from remote code execution vulnerabilities and other flaws, he says. "But [they] often de-prioritize patches for EoP vulns and wait until quarterly or annual patch cycles."
A New Trend
The number of privilege escalation vulnerabilities in Microsoft's technologies increased last year even as the overall number of reported bugs in the company's products declined for the first time in years. The 1,212 bugs that Microsoft disclosed in 2021 was about 5% lower than the 1,268 bugs it reported in 2020. That was in sharp contrast to the previous four years, which saw a near doubling in bugs — from 451 in 2016 to 858 in 2019.
BeyondTrust also observed a 47% decrease in the number of critical vulnerabilities that Microsoft disclosed in 2021 — 104 compared to 196 in 2020. The number of Windows OS vulnerabilities, too, dropped dramatically in 2021 — from a record 907 vulnerabilities across Windows 7, Windows RT, Windows 8/8.1, and Windows 10 to just 507 last year.
Remote code execution vulnerabilities, which were the most common type of security issue in Microsoft products until 2019, ranked second last year at 326, followed by information disclosure vulnerabilities (119), spoofing (66), and denial of service bugs (55). Microsoft reported a total of 44 security bypass vulnerabilities last year and 3 issues related to tampering. BeyondTrust observed declines in other vulnerabilities such as in overflow, memory corruption, and cross-site scripting flaws in Microsoft technologies. Cumulatively, there were 215 fewer vulnerabilities across these three categories in 2021 compared to the prior year.
The vendor ascribed several likely reasons for the Microsoft vulnerability reductions last year, including better security and coding practices on Microsoft's part; end of life of Windows 7 and other products: and the shift of more enterprise workloads and services to the cloud.
Fewer Critical Vulnerabilities
"A drop in critical vulnerabilities reported from 196 to 104 is great news," says Richard Stiennon, chief research analyst at IT-Harvest. "Yet it's hard to derive insights from just the numbers."
The increase in privilege escalation vulnerabilities, for instance, is significant because it indicates that researchers are looking harder for these flaws in Microsoft products. "These are critical because an attacker will use them to ultimately get admin privileges and thus complete control of a system," Stiennon says. "APT groups usually have some sort of escalation exploits in their toolboxes to compromise their targets."
Microsoft's late-2021 adoption of the industry-standard CVSS format for reporting vulnerabilities also made it impossible to determine how many of the critical vulnerabilities it disclosed last year could have been mitigated by removing admin rights on user systems, BeyondTrust said.
The CVSS is derived from data that is designed to produce a numerical score relative to the severity of a vulnerability, says Christopher Hills, chief security strategist at BeyondTrust. "This is great for the overall audience in seeing which vulnerabilities have the highest severity," he says. "But it provides camouflage for those vulnerabilities that leverage privilege elevation because those are now buried in the report."
Between 2015 and 2020, some 75% of critical Microsoft vulnerabilities could have been mitigated by removing admin rights on user systems. There's little reason to believe that the situation has changed a whole lot now, according to BeyondTrust.
"With end user systems and remote access being the top attack vector for bad actors, there truly is no valid reason why users should have standing rights or admin rights on end user systems," Hills says. Removal of admin rights has the potential to impact end user productivity and foster a bad user experience, he admits: "But with today’s technology and the solutions available, there is no amount of end user productivity that could outweigh the cost of a breach or compromise."
McGuffin says the decline in reported Microsoft vulnerabilities last year could also have to do with other reasons. Some countries have modified their vulnerability disclosure processes so that newly discovered vulnerabilities must be reported to the government first — and only then can be reported to the vendor, he notes. "Those same countries have also restricted citizens' ability to participate in competitions like Pwn2Own, where vulnerabilities would be publicly disclosed after the competition," he notes.
And because researchers sometimes focus on specific areas and technologies, that also can have an impact on the number of vulnerabilities discovered in a particular category, McGuffin says. "As an example, one vulnerability in the [Windows] print spooler service prompted several other researchers to dig deeper, and we're up to over a dozen RCE and PrivEsc vulns in the spooler now," he says.