“Removing admin rights mitigates 80%-plus of critical Microsoft vulnerabilities”

Beyond Trust has announced the release of its Microsoft Vulnerabilities Report. The research provides the latest insight into security vulnerabilities facing organisations today, as well as a five-year trends analysis designed to better equip organisations to increase their IT security posture and keep networks and systems safe.

This year’s report has identified the following highlights:

*700 Microsoft vulnerabilities were reported in 2018, representing a 110% increase in the overall number of reported vulnerabilities over six years (2013-2018)

*The number of vulnerabilities ranked as ‘Critical’ by Microsoft is up 29% over six years (2013-2018)

*Remote Code Execution (RCE) vulnerabilities account for the largest proportion of total Microsoft vulnerabilities through 2018, with 292 RCE vulnerabilities reported and 178 considered ‘Critical’ (61%)

*In 2018, 499 vulnerabilities were reported across Windows Vista, Windows 7, Windows RT, Windows 8/8.1 and Windows 10 operating systems and 169 considered ‘Critical’ (34%)

*Despite being the newest browser, Microsoft’s Edge browser has nearly triple the number of critical vulnerabilities reported (112) compared to Internet Explorer (39). Critical vulnerabilities in Microsoft Edge have increased six-fold since its inception two years ago

*Vulnerabilities in Microsoft Office continue to rise year-over-year, with a 121% increase over six years (2013-2018)

*Windows Server Vulnerabilities represent a significant percentage of the total number of vulnerabilities reported with 449 in 2018, 136 of those being designated ‘Critical’ (30%)

Further analysis indicates that, over the last five years, nearly 88% of all critical vulnerabilities published by Microsoft could have been mitigated by security teams removing admin rights from users.

“The Microsoft Vulnerabilities Report 2019 supports the importance of least privilege models, proving that reducing the number of admin users is a necessary step in the foundation of your security strategy,” said Dr Jessica Barker, co-CEO of Cygenta and chair of ClubCISO.

“The rate at which vulnerabilities are increasing is a significant concern for organisations committed to protecting their networks from data breaches,” said Morey Haber, CTO and CISO at BeyondTrust. “While organisations need to continue to focus on the security basics, the ability to remove admin rights and control applications is no longer difficult to achieve. Least privilege should be considered as part of a proactive security strategy.”

The full Microsoft Vulnerabilities Report for 2018 can be downloaded here https://www.​beyondtrust.​com/resources/whitepapers/microsoft-vulnerability-report

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts