Microsoft has released their December security updates addressing 24 vulnerabilities in Windows, Internet Explorer, Exchange and Office. The bulletins released are:
- MS14-075: Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege (3009712) - This update was originally supposed to be released in November, but was held back. It addresses four vulnerabilities affecting all supported versions of Microsoft Exchange Server. None are rated critical.
- MS14-080: Cumulative Security Update for Internet Explorer (3008923) - This first update fixes 14 vulnerabilities affecting every supported version of the browser. None have been publicly disclosed or have known public exploits. Ten of the bugs are memory corruption errors. Two are XSS filter bypass vulnerabilities. One is an ASLR bypass and the final a VBscript memory corruption vulnerability<./li>
- MS14-081: Vulnerabilities in Microsoft Word and Microsoft Office Web Apps Could Allow Remote Code Execution (3017301) - One or both of two remote code execution bugs affect all supported versions of Microsoft Word, Word Web Apps and the Word Automation Services on Microsoft Sharepoint 2010 and 2013.
- MS14-082: Vulnerability in Microsoft Office Could Allow Remote Code Execution (3017349) - A "use after free" vulnerability exists in the Office document parsing code in all supported versions of Microsoft Office.
- MS14-083: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (3017347) - Two remote code execution vulnerabilities affect all supported versions of Microsoft Excel.
- MS14-084: Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (3016711) - A remote code execution vulnerability exists in the VBScript engine of Windows. It is rated critical on desktop Windows versions and Moderate on server versions. Server Core is vulnerable, but not through any known attack vectors.
- MS14-085: Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure (3013126) - This update fixes the only publicly-disclosed vulnerability addressed today. It is an information disclosure vulnerability rated Important on all supported versions of Windows.
According to the Microsoft Malware Protection Center, the December version of the MSRT (Malicious Software Removal Tool) adds no new malware families, but does update the detection and remediation capabilities. So far in 2014, the MSRT has removed malware from 5.6 million computers.
Microsoft also released 16 non-security updates to various versions of Windows, including a new set of language packs .