Security flaws in Microsoft’s operating systems and Edge browser are up 132% since 2013

Microsoft vulnerabilities have more than doubled since 2013, a new report from Avecto has revealed.

There were 587 vulnerabilities reported across Windows Vista, Windows 7, 8.1/RT 8.1, and Windows 10 in 2017.

Added to this were 140 vulnerabilities with Microsoft Edge, and 48 reported in Internet Explorer versions 8-11.

This is a 132% increase since 2013, Avecto said.

Overall, 685 Microsoft vulnerabilities were reported last year compared to 325 in 2013.

Avecto found that 2017 was the largest year-on-year increase, with a 54% spike in reported security weaknesses since 2016.

But these vulnerabilities could be mitigated by removing admin rights for users, Avecto advised.

Almost 60% of security weaknesses in Microsoft Office products could be mitigated by removing local admin rights.

And almost 80% of critical vulnerabilities in Windows 10 could have been diminished in 2017 with this method.

There was also a 98% rise in Microsoft browser vulnerabilities, which Avecto claimed was partly due to the inclusion of Microsoft Edge from 2016.

Edge replaced Internet Explorer in 2016 for Windows 10, Windows 10 Mobile, and Xbox One.

But a recent report from Google revealed that the web browser contains a flaw which can bypass Edge’s Arbitrary Code Guard (ACG), increasing users’ exposure to drive by downloads.

The bug affects the just-in-time (JIT) compiler that Edge uses to run JavaScript.

By predicting the amount of memory JavaScript has requested before it can run and implement their own code into the space, the hacker can bypass ACG.

Exposing the bug

The vulnerability was first found by Google’s Project Zero back in November.

Project Zero’s policy is to allow companies 90 days to fix their security issues before they go public with it.

However, since Microsoft passed the 90-day mark without resolving the flaw, Google has released its findings.

The Microsoft Security Response Center replied: “The fix is more complex than initially anticipated, and it is very likely that we will not be able to meet the February release deadline due to these memory management issues.”

Although Google’s 90-day window is standard for the company, it has exposed the flaw before Microsoft Edge was able to develop a patch.

In 2016 Google exposed another flaw that could allow a hacker to install a backdoor on a Windows computer.

Terry Myerson of Microsoft wrote in defense: “We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure.

“Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk.”