Microsoft has released fixes for 89 security flaws - including four publicly known vulnerabilities and six that have been exploited in the wild.
The sheer number of public and exploited vulns has been described as "unusual", even though the total number of CVEs is not particularly large.
Seven of the CVEs are rated critical in severity and 79 are described as important. Overall, Microsoft released 90 CVEs, including one that is not yet fixed.
One remote code execution (RCE) vulnerability was named among the exploited flaws. Microsoft Project Remote Code Execution Vulnerability (CVE-2024-38189) has a CVSS score of 8.8 and "requires the victim to open a malicious Microsoft Office Project file on a system where the Block macros from running in Office files from the Internet policy is disabled and VBA Macro Notification Settings are not enabled."
Microsoft wrote: "In an email attack scenario, an attacker could send the malicious file to the victim and convince them to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a malicious file designed to exploit the vulnerability.
"An attacker would have no way to force the victim to visit the website. Instead, an attacker would have to convince the victim to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the malicious file."
Three of the other six CVEs that have been actively exploited in the wild are local privilege escalation vulnerabilities that are tracked as CVE-2024-38106, CVE-2024-38107 and CVE-2024-38193. They impact the Windows Kernel, Power Management Features, and the Ancillary Function Driver for WinSock, respectively.
"As a local priv-esc vulnerability, an attacker would already need to have gained code execution on the victim machine, either through lateral movement or another exploit for example a malicious document," Kev Breen, Senior Director Cyber Threat Research at Immersive Labs told The Stack.
"An attacker able to exploit this vulnerability would gain “SYSTEM” privileges on the host. This is the highest level of access for the local machine and would enable an attacker to perform other actions like disabling security tools or dumping credentials to move laterally across the network or gain domain-level access.”
Another exploited bug was the Windows Mark of the Web Security Feature Bypass Vulnerability (CVE-2024-38213), which has a moderate CVSS score of 6.5.
"An attacker who successfully exploited this vulnerability could bypass the SmartScreen user experience," Microsoft wrote. "An attacker must send the user a malicious file and convince them to open it."
The final exploited flaw is a Scripting Engine Memory Corruption Vulnerability (CVE-2024-38178), which has a CVSS score of 7.5,
"This attack requires an authenticated client to click a link in order for an unauthenticated attacker to initiate remote code execution," Microsoft wrote. "Successful exploitation of this vulnerability requires an attacker to first prepare the target so that it uses Edge in Internet Explorer Mode. The user would have to click on a specially crafted URL to be compromised by the attacker."
The Zero Day Foundation said "the worst" of the RCE bugs was a Windows TCP/IP Remote Code Execution Vulnerability (CVE-2024-38063), which has a critical CVSS score of 9.8 and is wormable, meaning it could potentially propagate automatically without a need to conduct authentication on a system.
It could enable an unauthenticated attacker to "repeatedly send IPv6 packets, that include specially crafted packets, to a Windows machine which could enable remote code execution," Microsoft warned.
The Zero Day Foundation wrote. "You can disable IPv6 to prevent this exploit, but IPv6 is enabled by default on just about everything. It’s a similar attack scenario for the Reliable Multicast Transport Driver (RMCAST), but in this case, you need a service listening as a receiver on PGM to be vulnerable. That’s a bit less likely.
"The Line Printer Daemon (LPD) has a bug with a similar consequence, but LPD isn’t installed by default (and shouldn’t be reachable from the Internet). That’s why it’s listed as Important rather than Critical despite its CVSS 9.8 rating. However, if you are running LPD, definitely treat this as a Critical update."
The LPD bug (CVE-2024-38199) is one of the four publically disclosed flaws, along with Windows Secure Kernel Mode Elevation of Privilege Vulnerability (CVE-2024-21302), Microsoft Office Spoofing Vulnerability (CVE-2024-38200) and Windows Update Stack Elevation of Privilege Vulnerability (CVE-2024-38202).
The Foundation added: "While this isn’t the biggest release, it is unusual to see so many bugs listed as public or under active attack in a single release."