Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

2/14/2018
05:43 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Windows 10 Critical Vulnerability Reports Grew 64% in 2017

The launch and growth of new operating systems is mirrored by an increase in reported vulnerabilities.

The number of critical vulnerabilities reported for Windows 10 increased 64% between 2016 and 2017. In total, 587 vulnerabilities were reported across Windows Vista, Windows 7, Windows 8.1/RT 8.1, and Windows 10 over the course of last year.

Researchers at Avecto analyzed data issued by Microsoft via the Security Update Guide throughout 2017. The guide focuses on security vulnerabilities affecting Microsoft products and services. They compiled the data into a yearlong overview to see if vulnerabilities increased.

Overall, they learned the number of reported Microsoft vulnerabilities increased 111% between 2013 and 2017. There has been a 54% increase in Critical Microsoft vulnerabilities reported since 2016, and a 60% increase over the 2013-2017 timeframe.

"I think it's the standard pattern for new operating systems," says Peter Firstbrook, vice president at Gartner, of the increase in reported Windows vulnerabilities. "Bugs generally get discovered as new operating systems launch and get popular."

To his point, the increase in flaws doesn't mean Microsoft's technology is less secure, analysts report. There are several factors at play here, including the growth of the Windows operating system, increasing complexity of services, data leaks, and a larger pool of security researchers.

"The pervasiveness of Windows, of technology means more [vulnerabilities] get identified," says Avecto COO Andrew Avanassian. There are more interconnected devices and shorter time to market, both of which increase the chance that bugs will be discovered. The problem isn't that Windows is less secure, it's that more machines are being used and attacked.

Microsoft's technology has steadily grown more complex, increasing the likelihood that vulnerabilities will evade detection, says Jeff Pollard, principal analyst serving security and risk professionals at Forrester. The company's security development lifecycle (SDL), has improved software security, but flaws in old and new software still slip through the cracks.

Avecto's research isn't limited to the Windows OS alone. There was an 89% increase in Office vulnerabilities between 2013-2017, during which Critical vulns in Microsoft browsers went up 46%.

"The downside to vulnerability discovery is you don't know when that code was written," he points out. "This could have been code written for Office 2005, or 2013, that was carried forward and we just discovered in 2017 … part of what we don't know is how much might be carried forward from prior architecture and prior processes."

Pollard also emphasizes the idea that external events have had a particular impact on reported Windows vulnerabilities. In particular, activity from the Shadow Brokers and the Vault 7 data leak led to the disclosure of many previously unknown vulnerabilities.

"Whenever you have a new vulnerability discovered or a new type of vulnerability, what you find is more stuff pops up around it," he says. Security researchers add a "follow-on" effect when they use these events as starting points to hunt for more bugs. Overall, he says, businesses are becoming more diligent about penetration testing and application testing.

Compliance dictates breaches and vulnerabilities should be acknowledged faster, and there are more organizations and volunteers identifying them.

"The increase in bounties has helped increase disclosure and patches before malware discovers them," says Firstbrook. "Continuous updates with Windows 10 will help patch faster by removing patching delays."

Patches, Admin Rights, and Mitigating Risk

"The biggest takeaway is the sheer number and volume of critical vulnerabilities that could be mitigated by the removal of administrative rights," says Avanessian.

Researchers dug into the data to see which vulnerabilities could be mitigated by removing administrative rights. Their report states 80% of Critical vulnerabilities reported in 2017 could have been mitigated if admin privileges were taken away.

"In security we tend to put an alarm on our house to stop intruders but leave the front door wide open," he adds. "Many organizations could be in a better, more secure place if they did this simple thing."

Pollard agrees that removing administrative rights is one of the best things that could prevent problems, but it does penalize users and interrupts workflow. "You need to know which employees don't have administrative rights and which employees do," he points out.

He points to patch management as a key step to take in mitigating risk. When considering the range of vulnerabilities reported, it's important to consider how many patches need to be deployed to mitigate them. In many cases, a single patch will address multiple issues.

"We need better code quality, we need to make sure the trend doesn't continue … but at the same time, it's not like it was a massive issue to patch all of them." However, he acknowledges patch management can be complicated for many organizations and they may not be able to deploy patches if workloads, applications, and infrastructure get in the way.

Other steps businesses can take include application whitelisting, or having a catalogue of software that can run and another catalogue of software that cannot. Multi-factor authentication is also important.

Related Content:

 

 

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mystic2020
50%
50%
Mystic2020,
User Rank: Apprentice
2/16/2018 | 9:56:59 AM
Avecto's Microsoft Vulnerabilities Report 2017
The insight in this report is awesome. Hopefully companies start to wake up to the growing threats! Thanks for sharing.
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19604
PUBLISHED: 2019-12-11
Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository.
CVE-2019-14861
PUBLISHED: 2019-12-10
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the (poorly named) dnsserver RPC pipe provides administrative facilities to modify DNS records and zones. Samba, when acting as an AD DC, stores DNS records in LDAP. In AD, the default permiss...
CVE-2019-14870
PUBLISHED: 2019-12-10
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authent...
CVE-2019-14889
PUBLISHED: 2019-12-10
A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence...
CVE-2019-1484
PUBLISHED: 2019-12-10
A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input, aka 'Windows OLE Remote Code Execution Vulnerability'.