The total number of reported vulnerabilities in Microsoft's software products, including those in the new Windows 10 operating system, rose over two-fold in the last four years and the number of critical vulnerabilities rose by 60 percent in the same period.
According to a Microsoft Vulnerabilities Report released by security software company Avecto, a total of 685 vulnerabilities were reported in Microsoft's products last year, including 587 vulnerabilities in relatively-newer versions of Microsoft's desktop operating system such as Windows Vista, Windows 7, Windows 8.1/RT 8.1 and Windows 10 operating systems. Only 451 vulnerabilities in Microsoft's products were reported in the previous year.
The number of reported vulnerabilities last year signified the highest-ever annual jump in the last four years. In fact, the total number of reported vulnerabilities in Microsoft's products last year was more than twice the number of reported vulnerabilities in 2013.
Microsoft's new Windows 10 operating system, which was first launched in July 2015 and was updated routinely by the software giant ever since, featured 64 percent more critical vulnerabilities in 2017 compared to the previous year. The total number of critical vulnerabilities across all Microsoft products also rose by 60 percent between 2013 and 2017. Avecto also observed an 89 percent rise in Microsoft Office vulnerabilities and a 98 percent increase in Microsoft browser vulnerabilities since 2013.
Mark Austin, co-founder and CEO of Avecto, said that even though there has been a major rise in the number of reported Microsoft vulnerabilities, enterprises can still take effective actions to ensure that they're protected without sacrificing productivity. “The challenges organisations face to improve security have not changed, yet many are still unaware that by simply removing admin rights, the risk of so many threats can be mitigated,” he said.
According to Avecto, 80 percent of all critical Microsoft vulnerabilities, 95 percent of critical vulnerabilities in Microsoft browsers, and 60 percent of critical vulnerabilities in Microsoft Office products such as Excel, Word, PowerPoint, Visio, and Publisher can be mitigated by the removal of admin rights.
Dr. Eric Cole, instructor at The SANS Institute, said that aside from removing admin access, prevention techniques like application whitelisting and adopting the principles of least privilege also "go a long way toward protecting individual users' machines and reducing inroads to the network while not severely restricting user functionality".
In an email to SC Magazine UK, Paul Edon, director at Tripwire, said: “System vulnerabilities are nothing new and are constantly being discovered. This is why it is crucial that organisations have sound security hygiene that incorporates Vulnerability Management. Vulnerability Management requires a combination of people, process and technology to work efficiently.”
“Successful and comprehensive patching requires asset inventory, vulnerability scanning, a patch management tool, auditing for success/failure and the people and process to ensure all of these are done continuously. Organisations that fail to address this are asking for trouble as hackers will always go for the easy targets over a more complex method of compromise,” he added.