Reported Critical Vulnerabilities In Microsoft Software On the Rise

Avecto researchers say removing admin rights from users would mitigate many of the threats.

The number of reported vulnerabilities in Microsoft software has mounted from 325 in 2013 to 685 last year, a rise of 111 percent, according to new research.

Moreover, there has also been a 54 percent increase in critical Microsoft vulnerabilities since 2016, researchers at Avecto said in their report, which is based on data from Microsoft’s Security Update Guide.

The number of vulnerabilities in Windows 10 jumped 64 percent last year, and critical vulnerabilities in Microsoft browsers rose 46 percent since 2013. Some of this can be attributed to the fact that Windows 10 and Microsoft’s Edge browser are both fairly new products and therefore subject to ongoing refinement, along with extra scrutiny from security researchers.

Last year, Microsoft reported 587 vulnerabilities spanning Windows Vista, Windows 7, Windows RT, Windows 8/8.1 and Windows 10, according to the report. “This is a record high, coming in 232 vulnerabilities more than last year’s report, and marking a 132% increase on the numbers from 5 years ago,” Avecto said.

Remote code execution vulnerabilities took up the biggest chunk of the 685 reported overall in 2017, at 301. RCE vulnerabilities in Microsoft software have risen 58 percent since 2013, according to Avecto’s report.

The remaining vulnerabilities were categorized–in order of their incidence–as information disclosure, elevation of privilege, denial of service, security feature bypass, spoofing and tampering. Avecto’s research didn’t provide percentages for those categories.

Avecto develops user privilege management software. To that end, its report repeatedly stresses the importance of removing admin rights from end users.

Avecto contends that taking away admin rights would mitigate 80 percent of the critical vulnerabilities reported in 2017. The report also says that 134 of the 140 critical vulnerabilities found in Edge last year could have been mitigated by the removal of user admin rights.

“Some organizations believe that user account control (UAC) will protect them, but attackers know of many methods to silently bypass UAC popups,” said Jake Williams, president of Rendition Infosec, in the report. “Even Microsoft says that UAC is not a security control. By removing administrative rights from your users, you ensure that the attacker cannot take full control of a machine even if a vulnerability is exploited.”

“Ideally all machines would be patched immediately and users wouldn’t have local admin on their machines,” Williams added. “But we live in the real world and often organizations are dealing with years of technical debt and poor architecture decisions.”

Suggested articles


  • John S on

    So Microsoft sold us all on how Windows 10 would be more secure. I think not only is it getting worse, but clearly the fixes don't work as planned either. Causing their own issues which in turn either causes patches to be pulled and/or revised. Maybe this is related to the six month or so new Windows 10 releases? Far as my experience I felt safer with Windows 7 then Windows 10.
  • Milo Mabery on

    The article noted that the reported vulnerabilities spanned across Windows Vista, Windows 7, Windows RT, Windows 8/8.1 and Windows 10. What the vulnerability category bar chart failed to include, in lieu of the collective whole presented, is each of the Microsoft Operating Systems the vulnerabilities spanned across. That comparison may paint a different picture in regards to which Operating System may be more prone to vulnerabilities than another. The article did not state 111 percent rise in vulnerabilities was specific to a single Microsoft Operating System.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.