The proximity to Black hat and DEF CON It's possible that vulnerability played a role in this, though, as some of the publicly disclosed vulnerabilities came from talks given by security researchers last week at the two conferences. Those vulnerabilities might have been responsibly reported to Microsoft in advance, but they weren't considered serious enough to warrant out-of-band fixes — something Microsoft typically reserves only for widely exploited zero-day vulnerabilities.
Six actively exploited flaws
Actively exploited vulnerabilities should be prioritized for enforcement, regardless of whether they are considered critical or have other limiting factors. Microsoft does not include details about attacks using zero-day flaws in its advisories, so companies cannot know how sophisticated or widespread those attacks are unless the organizations or third-party researchers who reported them publish their own reports.
For example, a vulnerability, identified as CVE-2024-38178, It is described as a memory corruption vulnerability in the scripting engine that can lead to remote code execution. Normally, unauthenticated remote code execution vulnerabilities would be rated as critical, but this flaw is rated as important (7.5 out of 10) because it can only be exploited when a user visits a specifically crafted link with Microsoft Edge running in Internet Explorer mode.
Leave feedback about this