BeyondTrust, a global provider of intelligent identity and access security, has publicised the findings of its 2024 Microsoft Vulnerabilities Report. This annual report delves into data from the Microsoft Security Bulletins issued throughout the previous year, offering important insights to help organisations pinpoint, comprehend and tackle the risks within their Microsoft ecosystems.

The Microsoft Vulnerabilities Report, which has been steadily providing this valuable data since its inception, shows that the Elevation of Privilege (EoP) continues to be the dominant vulnerability category for the fourth year in a row, constituting 40% of all Microsoft weaknesses in 2023. Furthermore, the report finds that the overall vulnerability figures have held steady, near record highs, for four consecutive years.

The report also details how these vulnerabilities are being utilized in identity-based attacks, bringing to light some of the most consequential Common Vulnerabilities and Exposures (CVEs) of 2023. It reveals significant shifts in trends, with the total vulnerabilities in 2023 lingering between 1,200 and 1,300, a pattern that has remained stable since 2020. Consequently, the EoP vulnerability category remains in the lead, representing 40% (490) of the total vulnerabilities in 2023.

Other emerging trends include a significant increase in Denial of Service vulnerabilities, hitting a record high of 109 in 2023, a towering 51% rise. Similarly, Spoofing has marked a notable rise of 190%, climbing from 31 to 90. In 2023, Microsoft Edge experienced 249 vulnerabilities, only one of which was deemed critical. Additionally, Windows vulnerabilities numbered 522, with 55 marked as critical. Microsoft Office had 62 vulnerabilities, whereas Windows Server vulnerabilities touched 558, with 57 critical.

James Maude, Director of Research at BeyondTrust, said the report continues to spotlight the necessity for enhanced security across all organisations. He stated, "The continued domination of Elevation of Privilege as the most common category of vulnerability, and the identity crisis highlighted at the end of the report underscore the importance of privilege and the timeless security concept of least privilege."

The report also anticipates the future of Microsoft vulnerabilities, foreseeing the continuous emergence of novel vulnerabilities as threats uncover innovative pathways through Microsoft's systems. Moreover, it predicts that unpatched systems and vulnerabilities will remain a gateway for threat actors. Interestingly, the expanding Microsoft technologies are projected to introduce new attack surfaces, with an increasing shift in investments from exploiting vulnerabilities to stealing identities for unauthorised access.

Despite predicting an upsurge in the volume and sophistication of identity-based attacks, the report re-emphasises the importance of long-established security principles like least privilege as potent defences against modern threats. It concludes that organisations combining preventative security controls with threat detection and response are much better equipped to tackle forthcoming threats.