The proximity to Black Hat and DEF CON may have played a part in that, however, as some of the publicly disclosed vulnerabilities came from talks given by security researchers last week at the two conferences. Those vulnerabilities might have been reported responsibly to Microsoft in advance, but weren’t considered severe enough to warrant out-of-band fixes — something that Microsoft typically reserves only for widely exploited zero-day vulnerabilities.

Six actively exploited flaws

Actively exploited vulnerabilities should be prioritized for patching regardless of whether they are rated critical or have other limiting factors. Microsoft doesn’t include details about the attacks using zero-day flaws in its advisories so enterprises can’t know how sophisticated or widespread those attacks are unless the third-party organizations or researchers who reported them publish their own reports.

For example, one vulnerability, tracked as CVE-2024-38178, is described as a memory corruption vulnerability in the scripting engine that can result in remote code execution. Normally unauthenticated remote code execution vulnerabilities would be rated critical, but this flaw is rated as important (7.5 out of 10) because it can be exploited only when a user visits a specifically crafted link with Microsoft Edge running in Internet Explorer Mode.