Microsoft’s Patch Tuesday updates this month take care of 75 vulnerabilities.
All vulnerabilities that hit the critical stage affect the web browsers.
Most of the holes were remote code execution flaws that exist due to the way browser scripting engines handle objects in memory.
The only critical vulnerability that cannot end up exploited for arbitrary code execution can lead to disclosure of information an attacker could jump on to hack into the target.
Two flaws patched by Microsoft have been publicly disclosed before patches became available, but they are only rated as “important,” and there is no evidence of malicious exploitation. These bugs are a denial-of-service (DoS) issue in ASP.NET and a privilege escalation in Exchange.
The Zero Day Initiative (ZDI) said the Exchange vulnerability exists in the Outlook Web Access (OWA) component, which can end up as a part of phishing attacks.
Another privilege escalation flaw affects the Windows installer and it allows an authenticated attacker to run arbitrary code with elevated permissions.
Another vulnerability is a remote code execution bug (CVE-2018-0886) affecting the Credential Security Support Provider (CredSSP) protocol.
In addition to applying Microsoft’s patch, users also need to make some settings changes in order to fully mitigate potential attacks.