Billions of users worldwide use Microsoft products. With Microsoft’s long-standing history of having issues with software security risks, product vulnerability increased to over 1,000 for the first time during 2020.
Data presented by the Atlas VPN team indicates that the number of Microsoft product vulnerabilities reached 1,268 in 2020, increasing 181% in only five years. The most vulnerable Microsoft product was Windows—of the 907 issues found, 132 were critical.
A Steady Rise in the Numbers
The number of Microsoft product vulnerabilities has been on a steady incline and rising every year. One of the hardest-hit periods for Microsoft occurred between 2016 to 2017. During this time, product vulnerabilities increased from 451 to 685—a whopping 52% jump!
In 2018, the rise in new vulnerabilities for Microsoft was the smallest recorded in five years, with a climb of only 2% in 2018, totaling 701. Between 2018 and 2019, the number of vulnerabilities rose by 22%, totaling 858. However, in 2020, this figure hit 1,268, adding up to a 48% increase over 2019.
Microsoft’s Windows products had 907 vulnerabilities—the most out of any Microsoft product. It includes Windows 7, Windows 8/8.1, Windows 10, and Windows RT, with Windows Server having the most critical issues. In 2020 alone, Windows Server experienced 902 vulnerabilities, with 138 of these vulnerabilities being critical.
Wide-Spread Weaknesses Reported
Not only Microsoft operating systems were at risk. Other Microsoft products such as Microsoft Edge and Internet Explorer 8, 9, 10, and 11 also experienced issues. These two browsers combined had 61 critical level vulnerabilities out of 92 total vulnerabilities in 2020.
Microsoft Office had five critical vulnerabilities out of 79 in total. This included Microsoft Excel, PowerPoint, Publisher, Visio, and other Office products.
With the vast array of vulnerabilities found in Microsoft products, the elevation of privilege was the most frequent, making up 44% of all Microsoft vulnerabilities in 2020. Issues with the elevation of privilege occurred 559 times throughout the year.
These types of vulnerabilities allow Cyber Threat Actors (CTAs) to gain high-level permission to a network or on a system. The cyber attacker can use the privileges to confiscate confidential data and install malware or run administrative commands.
An Uptick in Cyber Attacks
Remote Code Execution (RCE) is the ability for an attacker to gain access to someone else’s computer from any geographical location and make changes to their device to steal data. By the year 2020, this was one of Microsoft’s most frequently detected vulnerabilities.
A total of 345 RCE vulnerabilities were discovered, making this the second most common vulnerability for Microsoft, adding up to 27% of all Microsoft vulnerabilities in 2020.
Information disclosure (or information leakage) is when a website unintentionally reveals sensitive data and information to its users. This vulnerability is the third most common vulnerability for Microsoft for 2020. With 179 issues of information leakage detected, this made up 14% of all vulnerabilities for Microsoft for that year.
Microsoft’s issues continued with other products in 2020. These issues would include spoofing at 104, denial of service at 46, security feature bypass at 30, and tapering at seven vulnerabilities.