Microsoft vulnerabilities report offers key cybersecurity insights

In 2020, a record number of 1,268 Microsoft vulnerabilities were discovered, a 48% increase year over year, a BeyondTrust report finds. Its CISO sits for an interview to dig deep into the findings.
By Bill Siwicki
11:31 AM

(Credit: HIMSS)

BeyondTrust, a privileged access management security technology vendor, today has released its "2021 Microsoft Vulnerabilities Report."

The annual research includes the latest breakdown of Microsoft vulnerabilities by category and product, as well as a five-year trend analysis. These provide a holistic understanding of the evolving threat landscape. The report analyzes the data from security bulletins publicly issued by Microsoft throughout the previous year.

Approximately 1.5 billion people use Windows operating systems each day, with various applications for Microsoft's products reaching into homes, businesses and entertainment venues. The data in this report provides a barometer of the threat landscape for the Microsoft ecosystem.

Now in its eighth edition, this year's report identified the following highlights:

  • In 2020, a record-high number of 1,268 Microsoft vulnerabilities were discovered, a 48% increase year over year.
  • The number of reported vulnerabilities has risen a whopping 181% in the last five years (2016-2020).
  • Removing admin rights from endpoints would mitigate 56% of all critical Microsoft vulnerabilities in 2020.
  • For the first time, "Elevation of Privilege" was the No. 1 vulnerability category, comprising 44% of the total, nearly three times more than in the previous year.
  • 87% of critical vulnerabilities in Internet Explorer and Microsoft Edge would have been mitigated by removing admin rights.
  • 70% of critical vulnerabilities affecting Windows 7, Windows RT, 8/8.1 and 10 would have been mitigated by removing admin rights.
  •  80% of critical vulnerabilities in all Office products (Excel, Word, PowerPoint, Visio, Publisher and others) would have been mitigated by removing admin rights.
  • 66% of critical vulnerabilities affecting Windows Servers would have been mitigated by removing admin rights.

In the week of March 8, there was a major cyberattack against Microsoft’s exchange e-mail service that affected hundreds of thousands of organizations worldwide. The White House said organizations should patch right away, and added this was a situation of great urgency.

Healthcare IT News interviewed Morey Haber, chief technology officer and chief information security officer at BeyondTrust, to dig deeper into the report.

Q: Your research reveals a record high of 1,268 total Microsoft vulnerabilities discovered in 2020, a 48% year over year increase. What are the most significant vulnerabilities found, and what accounts for such a huge increase?

A: The Microsoft Vulnerabilities Report doesn't analyze individual vulnerability information in that sense, but provides a holistic annual view of the volume and type of vulnerabilities throughout the year. 

By Microsoft's own categorization, "critical" vulnerabilities are the most significant as, if these are exploited, they can lead to the most damage and impact. There were 196 critical vulnerabilities in 2020, and 56% of them could have been prevented by removing admin rights.

In terms of the huge increase, the reason poses a very perplexing question and one that I cannot answer. For a similar time frame last year, Microsoft was still supporting Windows 7 and Windows 2008 R2 (EOL January 2020). Microsoft had more GA (Generally Available) desktop and server products on the market than today.

So why with less available products are there more vulnerabilities? Is it because threat actors are getting more sophisticated in their attacks; is Microsoft code becoming less secure as they adopt rapid agile releases; or is the bloat in sophistication and features just leading to more vulnerabilities? 

"There are many advantages to removing admin rights. On a system level, by removing admin rights users are unable to write files or entries in certain places on their machines."

Morey Haber, BeyondTrust

Realistically, it is probably a combination of all three, but it is counterintuitive to think if you have fewer products to support then you should have less vulnerabilities. That is clearly not the case for 2020, and, as we know now, 2020 will go down in history for a variety of events.

Q: One of your key findings shows that removing admin rights from endpoints would mitigate 56% of all critical Microsoft vulnerabilities from last year. Why? And what are a couple other suggestions that healthcare organization CIOs and CISOs can do?

A: There are many advantages to removing admin rights. On a system level, by removing admin rights users are unable to write files or entries in certain places on their machines. 

This means your computers are cleaner and more stable, and therefore less prone to a successful cyberattack. It's been found on multiple occasions that the vast majority of security breaches involve privileged credentials.

If an attacker is able to gain control or access to a machine with local admin rights, they have the freedom and access to steal data or move laterally across the network. 

However, if they gain access to only a standard user account, their abilities to inflict damage is instantly (and significantly) limited. Therefore, by removing admin rights in your organization, your attack surface and risk of a breach becomes much smaller, and any successful breach easier to contain.

Healthcare organization CISOs would do well to follow the five critical steps to endpoint security, as recommended by BeyondTrust:

  1. Use antivirus software as a first line of defense.
  2. Remove admin privileges from end users to minimize risk, stop threats and mitigate baseline drift.
  3. Use pragmatic application control to ensure only authorized applications can execute.
  4. Leverage endpoint detection and response software to catch any attacks that might slip through and trigger an indicator of compromise.
  5. Ensure other basic security hygiene (web proxy, agent vulnerability management, etc.) are in place to complete your strategy.

Taking this multi-layered approach to security will significantly reduce the chances of a breach, as there are multiple obstacles for the attacker to navigate. 

All the other steps are made inherently stronger by removing admin rights, and this is one of the key (often overlooked) steps especially in mitigating the threats from ransomware.

Q: You say that 80% of critical vulnerabilities in all Office products (Excel, Word, PowerPoint, Visio, Publisher and others) would have been mitigated by removing admin rights. Why? What do CIOs and CISOs need to learn from this finding?

A: By removing admin rights, you are preventing attackers from having the ability to install malicious code via Office links and email, run child process from within Office, and [launch] macros as an administrator associated with threats like ransomware. 

This makes it more difficult for their users (and systems) to ultimately be infected. Since many, or all, of these products are commonly used at some level within an organization, having the ability to mitigate 80% of risk with an efficient and relatively small step should not be ignored.

Healthcare CISOs should maintain close control and awareness of their endpoints and users, including the access they require to complete their jobs. In understanding this, measures such as removing unnecessary privileges, applying allow-listing and block-listing, and enabling just-in-time access controls can be applied (crucially) without impacting productivity. 

This is especially true when administrative rights are absolutely required for service or maintenance, but not used for daily activities.

Twitter: @SiwickiHealthIT
Email the writer: bsiwicki@himss.org
Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.