Microsoft has recently disclosed that six actively exploited vulnerabilities have been identified, with some of them potentially being linked to talks given by security researchers at the Black Hat and DEF CON conferences. Although these vulnerabilities may have been reported to Microsoft in advance, they were not deemed severe enough to require immediate out-of-band fixes. This decision is consistent with Microsoft’s policy of reserving out-of-band fixes for zero-day vulnerabilities that are widely exploited.
One of the vulnerabilities, known as CVE-2024-38178, has been classified as a memory corruption vulnerability in the scripting engine, which could lead to remote code execution. Despite the potential severity of such a vulnerability, it has been rated as important (7.5 out of 10) instead of critical. This is due to the fact that the vulnerability can only be exploited when a user visits a specifically crafted link while using Microsoft Edge in Internet Explorer Mode.
It is important for organizations to understand the nature of these vulnerabilities, especially when they are actively exploited. Microsoft does not provide detailed information about the attacks using zero-day flaws in its advisories, which means that enterprises may not be fully aware of the sophistication or prevalence of these attacks unless the reporting organizations or researchers release their own reports.
As such, enterprises should prioritize patching these actively exploited vulnerabilities regardless of their severity rating or other mitigating factors. By staying informed and taking proactive steps to address these vulnerabilities, organizations can enhance their security posture and reduce the risk of potential exploitation.