587 Windows Vulnerabilities — A Microsoft Security Record Breaker
2024 was a record year for Microsoft security vulnerabilities.
As a cybersecurity analyst and writer, it can often feel like Microsoft is too easy a target when it comes to matters of threats, incidents, and, of course, security vulnerabilities. There’s good reason why Microsoft itself, and especially the Windows operating system ecosystem, gets so many cybersecurity-related headlines — it’s a massive target because of the size of its user base. It really is as simple as that. You really do have to bear this in mind when reading about 2FA bypass attacks, multi-stage malware campaigns, infostealers infecting a million Windows devices, and hackers finding ways around Windows Defender defenses. Don’t get sucked into the Microsoft doesn’t care about your security trap as nothing could further from the truth. Indeed, even though a newly published report has confirmed a record-breaking year for reported Microsoft vulnerabilities, including hundreds impacting the Windows and Windows Server platforms, that’s actually not as bad a thing as you might imagine.
The Windows Vulnerability Conundrum
When you see any headline alerting you to a security vulnerability, you probably immediately think that this is a bad thing. I mean, you aren’t 100% wrong, of course, but it really isn’t quite that straightforward. It rather depends on who is doing the disclosing and whether attacks are already underway. So-called zero-day vulnerabilities, where the security flaw has remained unknown until an attacker starts to exploit it, are one thing. But responsibly disclosed vulnerabilities, reported by internal security teams and external researchers, are quite another. Take the average Microsoft Patch Tuesday security rollout, where such vulnerabilities are disclosed to the public for the first time, and the patches to fix them are provided at the same time, for example. Does that make you less or more secure? The correct answer, dear reader, is the latter.
In much the same way, a new report from BeyondTrust analysts that has revealed 2024 to be a record-breaking year for the number of Microsoft security vulnerabilities reported, a total of 1,360 in all, is a good thing as far as I am concerned. Imagine if those vulnerabilities had gone unreported until a criminal hacker found them and exploited them; now that would be a bad thing.
I’m pleased that the report found this number to be an 11% increase over 2023, as that means security researchers are doing a better job of hunting down the holes in product code. Would I like there to have been fewer security feature bypass vulnerabilities than the 90 discovered, up 60% from the previous year? Heck yes, of course, I’m no fan of sloppy coding allowing such things to be worked around. Yet still, the fact remains, these bypasses were found and patched.
When it comes to Windows, the report found 587 with 33 meeting Microsoft’s critical rating criteria, Windows Server had 684, 43 of which were critical. BeyondTrust is absolutely right when it said that the longer-term trend appears to not only show that the pace of vulnerability growth is stabilising, however, but also that “Microsoft’s security initiatives and improvements in the security architecture of modern operating systems are paying off.” Security initiatives that have, for example, seen Microsoft pay security researchers more than $60 million in bounties for finding vulnerabilities in its software.
How safe are you using Windows? Safer than using software that doesn’t invest in finding and fixing security vulnerabilities. Simples.