The proximity of Black Hat and DEF CON may have played a role in that, however, as some of the publicly disclosed vulnerabilities emerged from talks given by security researchers last week at the two conferences. That vulnerability may have been responsibly reported to Microsoft early on, but it wasn’t considered severe enough to warrant an out-of-band fix — something Microsoft typically reserves only for the most exploitable zero-day vulnerabilities.
The six exploit the mistakes
Continuously exploited risks should be prioritized for prevention regardless of whether they are rated as serious or have limiting factors. Microsoft doesn’t include details about attacks using zero-day flaws in its advisories so businesses can’t know how sophisticated or widespread those attacks are unless third-party organizations or researchers who report them publish their reports.
For example, one vulnerability, tracked as CVE-2024-38178, is described as a memory corruption vulnerability in the script engine that could lead to remote code execution. Normally the risk of using unauthorized remote codes would be rated as important, but this bug is rated as important (7.5 out of 10) because it can only be used when the user visits a specially designed link with Microsoft Edge running in Internet Explorer Mode.
Source link