Microsoft security vulnerabilities increasing – but removing admin rights fixes most of them

Written by David Adams
20/02/2018

Reported security vulnerabilities in Microsoft technologies have more than doubled since 2013 – but most could be mitigated by removing admin rights, according to research from Avecto.

685 vulnerabilities were reported during 2017, compared to 325 in 2013 and 451 in 2016, according to Avecto’s annual Microsoft Vulnerabilities Report. The number of critical vulnerabilities has increased by 60 per cent over the same period; and there has been an 89 per cent increase in the number of vulnerabilities reported in Microsoft Office products.

But removing admin rights could mitigate 80 per cent of all critical vulnerabilities reported in 2017, including 95 per cent of critical vulnerabilities in Microsoft browsers and 60 per cent of such vulnerabilities in Microsoft Office software.

A record 587 vulnerabilities were reported in the Windows operating systems Vista, 7, 8.1/RT 8.1 and 10. The number of critical vulnerabilities reported in Windows 10 increased by 64 per cent during 2017. Remote Code Execution (RCE) vulnerabilities account for the largest proportion of all MIcrosoft vulnerabilities. There were 310 RCE vulnerabilities in 2017, of which 231 were considered to be critical. There were also almost 200 information disclosure vulnerabilities reported, representing a sharp increase from fewer than 100 in 2016.

But the research makes it clear that removing admin rights and adopting the principle of least privilege can do a great deal to protect individual users’ machines. Of 140 critical vulnerabilities reported in Microsoft Edge, 134 could be mitigated through removal of admin rights, as would 45 of the 48 critical vulnerabilities discovered in various versions of Internet Explorer. Avecto calculates that more than 88 per cent of all critical vulnerabilities reported by Microsoft during the past five years could have been mitigated by removing admin rights.