One of the more serious vulnerabilities concerns a Windows VBScript Engine flaw, it allows exploitation by merely visiting a webpage in Edge or Internet Explorer:
Hackers – including nation-state agents – are already abusing this programming cockup right now to compromise computers in the wild and spy on targets. The flaw was discovered and reported by Anton Ivanov and Vladislav Stolyarov of Kaspersky Lab, as well as Ding Maoyin, Jinquan, Song Shenlei, and Yang Kang of Qihoo 360 Core Security.More at The Register.
"In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website," Microsoft noted.