Microsoft has released security updates to address a total of 118 vulnerabilities across its software portfolio. Among these, two vulnerabilities have been actively exploited in the wild.
Out of the 118 flaws, three are classified as Critical, 113 as Important, and two as Moderate. Notably, the Patch Tuesday update does not include the 25 additional flaws that were fixed in the Chromium-based Edge browser in the past month.
Five vulnerabilities are known to the public at the time of release, with two of them being actively exploited as zero-days:
- CVE-2024-43572 (CVSS score: 7.8) – Microsoft Management Console Remote Code Execution Vulnerability (Exploitation detected)
- CVE-2024-43573 (CVSS score: 6.5) – Windows MSHTML Platform Spoofing Vulnerability (Exploitation Detected)
- CVE-2024-43583 (CVSS score: 7.8) – Winlogon Elevation of Privilege Vulnerability
- CVE-2024-20659 (CVSS score: 7.1) – Windows Hyper-V Security Feature Bypass Vulnerability
- CVE-2024-6197 (CVSS score: 8.8) – Open Source Curl Remote Code Execution Vulnerability (non-Microsoft CVE)
These vulnerabilities are significant, with CVE-2024-43573 being linked to previous exploits by threat actors.
Microsoft has not provided details on the exploitation of these vulnerabilities, but it is advised to apply the patches to mitigate any potential risks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also added these vulnerabilities to its Known Exploited Vulnerabilities catalog.
Additional software patches from other vendors have also been released to address security vulnerabilities in recent weeks.
