Microsoft Patch Tuesday this month had higher than usual bets with Internet Explorer's zero-day zero-day fixes for active exploitation and Exchange Server flaws, which was revealed last month with a concept confirmation code.
IE's vulnerability, Microsoft says, allows attackers to check if one or more files are stored on disks on vulnerable computers. Attackers first have to target targets to a malicious site. Microsoft, without making any details, said it has detected active exploits against the vulnerability that is indexed as CVE-2019-0676 and affects IE version 10 or 11 running on all supported versions of Windows. The downside was discovered by members of the Google Project Zero Vulnerability Research Team.
Microsoft also falsifies Exchange against a vulnerability that allows remote attackers with little more than a non-privileged mailbox to gain administrative control over the server. Duplex PrivExchange, CVE-2019-0686 was publicly announced last month, along with the concept proof code that used it. On Tuesday, Microsoft's advice said they have not seen active feats yet, but they are "likely."
If the readers are tempted to think that Microsoft is the only major software maker whose products have been actively used in recent weeks, Apple last week has tampered with three iOS vulnerabilities that Researchers say they are exploited as zero days in the wild, Two of those zero days were discovered by Project Zero. Apple declined to comment.
Overall, Microsoft has patched more than 70 vulnerabilities, 20 of which were rated critical. Vulnerable products include IE, Edge, Windows, Office, .NET Framework, Exchange Server, Visual Studio, Azure IoT SDK, Microsoft Dynamics, Team Foundation Server, and Visual Studio Code. Microsoft has a review here.