Microsoft’s Patch Release Covers Five Exploited Zero-Day Bugs, Not Four: Researcher

‘We’re not sure why they don’t list [the vulnerability] as being under active attack, but you should treat it as though it were,’ writes Trend Micro’s Dustin Childs.

Microsoft’s monthly release of security fixes addresses five zero-day vulnerabilities that are seeing active exploitation, despite the company only listing four zero days in its disclosure Tuesday, according to a Trend Micro researcher.

The flaws received patches as part of Microsoft’s monthly release of software bug fixes, unofficially known as “Patch Tuesday.”

[Related: ‘Critical’ SonicWall Flaw Seeing Exploitation In Ransomware Attacks: Researchers]

Among the 79 new CVEs (Common Vulnerabilities and Exposures) disclosed by Microsoft Tuesday, the tech giant listed four zero-day flaws—affecting Windows and Microsoft Publisher—as known to be seeing active exploitation.

However, a fifth vulnerability impacting Windows and fixed in the Tuesday release was also previously reported to Microsoft as exploited by the threat hunting team at Trend Micro’s Zero Day Initiative (ZDI), according to Dustin Childs, head of threat awareness at ZDI.

“When we told Microsoft about the bug, we indicated it was being actively used,” Childs wrote in a post Tuesday. “We’re not sure why they don’t list it as being under active attack, but you should treat it as though it were, especially since it affects all supported versions of Windows.”

As of this writing, the Windows MSHTML Platform Spoofing Vulnerability (tracked at CVE-2024-43461) was still listed on Microsoft’s website as not exploited.

CRN has reached out to Microsoft for comment.

The four zero-day flaws that Microsoft did list as exploited are a Windows Update Remote Code Execution Vulnerability (CVE-2024-43491); a Microsoft Publisher Security Features Bypass Vulnerability (CVE-2024-38226); a Windows Mark of the Web Security Feature Bypass Vulnerability (CVE-2024-38217); and a Windows Installer Elevation of Privilege Vulnerability (CVE-2024-38014).

One Critical Zero Day

Of those, only the Windows Update remote code execution flaw is listed as a critical-severity issue, with a severity score of 9.8 out of 10.0.

However, in its release Tuesday, Microsoft noted that the vulnerability only impacts a single version of Windows 10 (version 1507), which was the original release of the operating system and went into end-of-support in May 2017.

The flaw also has not technically been exploited itself, but its presence can enable the exploitation of certain “optional components” in Windows 10, Microsoft said.

“This CVE documents the rollback of fixes that addressed vulnerabilities which affected some Optional Components for Windows 10 (version 1507),” the company said. “Some of these CVEs were known to be exploited, but no exploitation of CVE-2024-43491 itself has been detected.”