Security vulnerabilities in Microsoft software doubles in five years - report

Avecto claims that almost half of the vulnerabilities fixed by Microsoft enable remote code execution

The number of security flaws affecting Microsoft software has more than doubled in recent years, growing by 111 per cent since 2013, according to security firm Avecto.

It claims that the company handled 325 security flaws in its software in 2013, but this rose to 685 in 2017.

This research, which is based on Microsoft's Security Update Guide, reveals a plethora of interesting findings, such as the fact that Microsoft Office was among the most affected of the company's software packages.

Over this period, there was an 89 per cent increase in security flaws affecting Office. Meanwhile, flaws impacting Windows 10 grew by 64 per cent in 2017 alone. Critical vulnerabilities in Microsoft's web browsers - Internet Explorer and Edge - also grew by 46 per cent.

Removing admin rights is the most effective step to take in mitigating these vulnerabilities

The study also found that removing admin rights could mitigate 80 per cent of security vulnerabilities identified in 2017.

In fact, 95 per cent of critical vulnerabilities found in Internet Explorer and Edge can be eased with this method.

Although security problems affecting Windows 10 only seem to be growing, the study revealed that removing admin rights could mitigate 80 per cent of them.

Overall, there was a 54 per cent increase in the number of flaws found in Microsoft's software products. In total, it found 587 vulnerabilities across all its operating systems from Windows Vista, Windows 7, Windows RT, Windows 8 and Windows 10.

Almost hald of the vulnerabilities identified (301 out of 685) could have resulted in remote code execution, claimed the report. These have increased by 58 per cent in recent years.

Some organisations believe that user account control (UAC) will protect them, but attackers know of many methods to silently bypass UAC pop-ups

However, the security firm also found instances of security feature bypass, denial of service, data leaks, elevation of privilege and spoofing.

The firm said: "This is a record high, coming in 232 vulnerabilities more than last year's report, and marking a 132 per cent increase on the numbers from five years ago."

"Time and again in these reports we see how removing admin rights is the most effective step to take in mitigating these vulnerabilities, and this year is no different. Removing admin rights would mitigate the risk of 80 per cent of all Critical Microsoft vulnerabilities in 2017."

Jake Williams, president of Rendition Infosec, wrote in the report: "Some organisations believe that user account control (UAC) will protect them, but attackers know of many methods to silently bypass UAC pop-ups.

"Even Microsoft says that UAC is not a security control. By removing administrative rights from your users, you ensure that the attacker cannot take full control of a machine even if a vulnerability is exploited."