A new report indicates that Microsoft's Edge web browser suffered an increase in critical vulnerabilities in 2024, meaning that cyber criminals could have exploited the software without deceiving users.
The report conducted by cybersecurity firm BeyondTrust, however, said that Microsoft's vigilance to find and prevent security flaws has helped to drive down critical vulnerabilities in the company's overall product offerings.
“Critical vulnerabilities dropped to an all-time low of 78 in 2024, compared to 84 in 2023, and 196 back in 2020,” read part of the BeyondTrust report, released April 17.
Christopher Hills, chief security strategist for BeyondTrust, told The National that Microsoft's ubiquitous Office suite also made improvements, and the recent spike in critical vulnerabilities discovered in Edge.
“The Microsoft Edge vulnerabilities had seemingly plateaued over the last few years,” he said.
“The last significant year for critical vulnerabilities tied to Edge was back in 2020 with 61 critical vulnerabilities. This then dropped to four in 2021, and remained low until this past year, where it saw nine critical and 292 total vulnerabilities, which is a significant increase over 2023.”
BeyondTrust's report largely gives Microsoft high marks for its Secure Future Initiative, which seeks to take a proactive rather than reactive approach to identifying security vulnerabilities.
The report also notes that Microsoft's Windows operating system “offer far greater security” compared to previous generations.
Morey Haber, chief security adviser at BeyondTrust noted that for all the concerns about critical vulnerabilities that can be exploited with users knowing, the most likely security breaches still occur from malware or phishing scams, where a lack of awareness can create major problems.
“This year’s Microsoft Vulnerabilities Report demonstrates that humans continue to be the weakest link, and not only from social engineering, but also the software we develop,” he wrote in the report.
BeyondTrust's Christopher Hills said that regardless of what operating system or web browser is used, and regardless of the location where users reside, basic cybersecurity awareness is needed.
Haphazardly clicking links and not using basic antivirus software, he said, is a recipe for disaster.
“Threat actors do not discriminate,” he said. “If you leave opportunity on the table, they will exploit it to further their cause or for monetary gains. This is why nobody is safe and every organisation needs to consider themselves a target.”
According to a 2024 report from the World Economic Forum, cybersecurity breaches show no sign of waning, with opportunities for potential cyberattacks growing at an “unprecedented” rate.
Those potential attacks, according to the WEF report, will likely continue with the number of Internet of Things devices expected to exceed 32 billion by 2030.
Security experts also say that artificial intelligence has lowered the barrier for those seeking to commit cyber crimes.
Mr Hills said despite all the warnings, far too many people, even those responsible for cybersecurity, seem to believe they will never be compromised.
“Another human factor in this is many just don’t believe they are a target and I remind people constantly – at conferences, events, and shows – that they are the target and anything they might touch, or have access to, could present an opportunity for a threat actor,” he said.
“I tell them that threat actors are not dumb, but they are lazy – they will take the path of least resistance, and if you leave any opportunity, such as these Microsoft vulnerabilities, on the table for them to exploit or capitalise on, they will take advantage of them.”
