For the third year running, this vulnerability accounted for around 55% of the total number of CVEs and related security bulletins

In a yearly report dissecting and summarizing Microsoft “Patch Tuesday” content and security bulletins over a 12-month period, some of the firm’s most significant CVEs of 2022 were ranked and reviewed by a panel of some of the world’s leading cybersecurity experts.

For 2022, the report concluded that Microsoft vulnerabilities had hit an all-time high (at 1,292) since 2013 reporting. On top of the surge, the nature of the threat and impact posed by each vulnerability had evolved in uniqueness and impact.

Some highlights and key 2022 findings are as follows:

    • Elevation of Privilege was the #1 vulnerability category for the third year running, accounting for 55% (715) of the total vulnerabilities
    • Microsoft Azure and Dynamics 365 registered the biggest gain in number of vulnerabilities for the period of review
    • 6.9% of vulnerabilities were rated as “critical” compared to 44% in 2013
    • Azure and Dynamics 365 vulnerabilities skyrocketed by 159%, from 44 in 2021 to 114 in 2022
    • Microsoft Edge experienced 311 vulnerabilities last year, but none was critical
    • There were 513 Windows vulnerabilities, 49 of which were critical
    • Microsoft Office experienced a five-year low of 36 vulnerabilities
    • Windows Server vulnerabilities rose slightly to 552
    • The past 10 years have seen the number of Microsoft vulnerabilities increase across all categories, with Elevation of Privilege vulnerabilities climbing 650% by 2022. In that time, new Microsoft products have driven the overall increase in vulnerabilities, with Azure and Dynamics 365 vulnerabilities climbing by 159%, largely due to one product — Azure Site Recovery Suite —in 2022
    • Over the past 10 years of reviewing Microsoft product vulnerabilities, the fundamental ways to mitigate the risks had remained constant: least privilege enforcement has proven to be just as relevant to the cloud systems and IoT devices of today as it did to the legacy systems, some of which are still operational

According to James Maude, Lead Security Researcher, BeyondTrust, which produces the reports: “Microsoft has a high volume of vulnerabilities that we have seen increase over the last 10 years of our research. This report outlines many of the risks, and highlights the importance of timely patching alongside the removal of excessive administrative rights to mitigate the risks.”