Patch Tuesday Turns 20: The Growth and Impact of Microsoft’s Vulnerability Problem

20 Years Later: Microsoft’s Vulnerability Problem Has Grown

The ubiquity of Microsoft products and volume of Microsoft vulnerabilities have created a massive attack surface. This shouldn't be a surprise given the popularity of Microsoft’s operating system and office software. One survey found “Microsoft Windows is the most widely used computer (desktop, tablet and console) operating system (OS) in the world.”

Adversaries constantly seek weak points in potential victims’ environments. And as we’ve seen with the growth of Patch Tuesday over the years, Microsoft vulnerabilities provide a broad landscape for adversaries to target.

This data can be found at CVE Details.

These numbers may seem high, but they actually conceal the scale of the problem. If we extrapolate the 1,200+ unique critical vulnerabilities Microsoft has issued patches for since 2016 to account for the same vulnerabilities impacting multiple Microsoft products, the number of total critical vulnerabilities jumps to almost 21,000+. While most Microsoft patches will address multiple affected Microsoft products with a single install, there are always exception cases and specific patching processes may vary.

The massive growth of Microsoft’s vulnerability problem has more than offset efficiencies gained through tinkering with the patching process. For many security and IT teams, Patch Tuesday has become more of a burden. They need to scramble to figure out which vulnerabilities to prioritize, which put them most at risk, which could have downstream impact on IT and which could make or break the business. It often seems that just as the team is figuring what to prioritize, another batch of vulnerabilities drops.

This has a huge impact in terms of time, cost, resources and risk. According to the Infosec Institute, the average time it takes to patch a vulnerability can be anywhere from 60 to 150 days. Some security and IT teams take “at least 38 days to issue a patch.” The pace of patching is no match for the speed of the modern adversary and its ability to exploit vulnerabilities.

If a vulnerability isn’t patched fast enough and a breach occurs, the victim is often blamed for falling short of security practices and failing to patch. This ignores the fact that the sheer scale of Microsoft vulnerabilities has once again shifted the burden back to the customer — a burden that grows as adversaries continue to weaponize vulnerabilities.

Microsoft Vulnerabilities: The Attack Surface of the Modern Adversary

Microsoft product vulnerabilities have become the de facto attack surface of the modern adversary. It shouldn’t be surprising that adversaries are weaponizing this growing problem.

Not only are adversaries exploiting existing flaws, they’re also ushering in a new era of “vulnerability rediscovery.” The CrowdStrike 2023 Global Threat Report found adversaries are modifying or reapplying the same exploit to target other, similarly vulnerable products. They’re also circumventing earlier patches.

Additional Resources

• Download the CrowdStrike 2023 Global Threat Report and CrowdStrike 2023 Threat Hunting Report to learn how the threat landscape has shifted in the past year and understand the adversary behavior driving these shifts.
• See how Falcon Spotlight can help you discover and manage vulnerabilities and prioritize patches in your environments.
• Make prioritization painless and efficient. Watch how Falcon Spotlight enables IT staff to improve visibility with custom filters and team dashboards.
• Test CrowdStrike next-gen AV for yourself with a free trial of CrowdStrike Falcon® Prevent next-generation antivirus.