Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint Security //

Windows

2/19/2018
09:35 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Microsoft Vulnerabilities More Than Doubled in 2017 Report

A comprehensive exam by security vendor Avecto found that the number of vulnerabilities in Microsoft's products increased from 234 to 685 between 2016 and 2017.

Avecto has done the entire security field a service by analyzing the data that Microsoft issued through the company's Security Update Guide throughout 2017.

Microsoft Corp. (Nasdaq: MSFT) uses the Security Update Guide to detail the security vulnerabilities that affect all the company's products and services. Avecto's report takes a look at the results over the 12 months of 2017 and details the trends that emerged during that time.

The increase in Microsoft vulnerabilities from 2016 to 2017 is the largest in the company's history. Last year, the report found 685 vulnerabilities in total, which was 234 more the 2016 total. This is more than double the 325 that were found in 2013.

(Source: Security Now)
(Source: Security Now)

In addition, the number of reported vulnerabilities has risen 111% during the five-year period from 2013 to 2017.

Remote code execution (RCE) vulnerabilities were the most numerous of the total 685 vulnerabilities that were found -- coming in at 301. There has been a 58% increase in RCE vulnerabilities since 2013.

When only critical vulnerabilities are considered, there has been a 54% increase since 2016 and 60% between 2013 and 2017.

Other classifications of vulnerabilities included information disclosure, elevation of privilege, denial of service, security feature bypass, spoofing and tampering.

However, 587 vulnerabilities were reported in 2017 across Windows Vista, Windows 7, Windows RT, Windows 8/8.1 and Windows 10 operating systems. Avecto calls this a record high. The total is 232 vulnerabilities more than what it reported in 2016, as well as a 132% increase of the numbers that were reported five years ago.

The number of vulnerabilities in Windows 10 jumped 64% last year, and critical vulnerabilities in Microsoft browsers rose 46% since 2013. It may be argued that these sorts of increases should actually be expected, since new products such as Windows 10 will have increased security scrutiny and therefore more vulnerabilities identified.

The report also notes that vulnerabilities in Microsoft Office continued to see a year-on-year rise, hitting a record high of 87 in 2017. Since 2013, critical vulnerabilities have doubled, although these issues increased from six to 12.


The fundamentals of network security are being redefined – don't get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth annual Big Communications Event. There's still time to register and communications service providers get in free!

What can be done about this is where the report shifts from useful data to a bit of a sales effort. Avecto sells user privilege management software. It also says in the report -- without presenting any direct evidence -- that removing local admin rights from most users would mitigate 80% of the critical vulnerabilities that were reported in 2017.

That does not mean the company may not be philosophically correct, however.

In the report Sami Laiho, a Microsoft Most Valuable Professional (MVP), notes: "For years, most security fronts have recommended least privilege as the most needed security feature out there. From my point of view, it still is -- as it would have blocked 80% of vulnerabilities."

So, least privilege may be a very good idea to deal with the problems Microsoft is evidencing. But it is no magic bullet since even the report admits that 20% of the vulnerabilities would have caused harm even with it in place.

In any case, the report shows that the vulnerabilities associated with Microsoft products and services are rising to ever-higher levels.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Data Breaches Affect the Enterprise
Data breaches continue to cause negative outcomes for companies worldwide. However, many organizations report that major impacts have declined significantly compared with a year ago, suggesting that many have gotten better at containing breach fallout. Download Dark Reading's Report "How Data Breaches Affect the Enterprise" to delve more into this timely topic.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3769
PUBLISHED: 2021-11-30
# Vulnerability in `pygmalion`, `pygmalion-virtualenv` and `refined` themes **Description**: these themes use `print -P` on user-supplied strings to print them to the terminal. All of them do that on git information, particularly the branch name, so if the branch has a specially-crafted name the vul...
CVE-2021-3725
PUBLISHED: 2021-11-30
Vulnerability in dirhistory plugin Description: the widgets that go back and forward in the directory history, triggered by pressing Alt-Left and Alt-Right, use functions that unsafely execute eval on directory names. If you cd into a directory with a carefully-crafted name, then press Alt-Left, the...
CVE-2021-3726
PUBLISHED: 2021-11-30
# Vulnerability in `title` function **Description**: the `title` function defined in `lib/termsupport.zsh` uses `print` to set the terminal title to a user-supplied string. In Oh My Zsh, this function is always used securely, but custom user code could use the `title` function in a way that is unsaf...
CVE-2021-3727
PUBLISHED: 2021-11-30
# Vulnerability in `rand-quote` and `hitokoto` plugins **Description**: the `rand-quote` and `hitokoto` fetch quotes from quotationspage.com and hitokoto.cn respectively, do some process on them and then use `print -P` to print them. If these quotes contained the proper symbols, they could trigger c...
CVE-2021-43790
PUBLISHED: 2021-11-30
Lucet is a native WebAssembly compiler and runtime. There is a bug in the main branch of `lucet-runtime` affecting all versions published to crates.io that allows a use-after-free in an Instance object that could result in memory corruption, data race, or other related issues. This bug was introduce...