Microsoft has released its first Patch Tuesday security update for 2018, which brings fixes for 56 flaws, as well as Adobe Flash updates, and a fix for a new Office vulnerability caused by Word's built-in Equation Editor that's already under attack.
A cybercriminal gang began exploiting that flaw soon after Microsoft released the patch. According to Microsoft, someone else has since been using a related Office memory corruption flaw in remote attacks that are possibly using specially crafted Office or WordPad files.
Researchers at Palo Alto Networks found thousands of attempts to exploit this flaw after the November patch, including one that targeted organizations in Europe. Disguised as a bogus invoice, it installed the FormBook information stealing trojan.
All 16 of this month's critical bugs stem from scripting engine flaws affecting Microsoft's Edge and Internet Explorer. Half of the scripting engine bugs were reported by researchers at Google's Project Zero.
As noted by Rapid 7, 13 of these browser issues are remote code execution flaws. There are also 38 bugs rated as important, one moderate issue, and a single low-severity issue.
Microsoft fixed a total of 19 Office flaws in this update, including four remote code execution flaws in Word that are rated as important.
Additional updates address bugs in Windows, SMB Server, the Windows Subsystem for Linux, the Windows kernel, .NET Framework, and .ASP.NET
Microsoft released three advisories this month, including its guidance on how to mitigate the Meltdown and Spectre attacks, a note on new defense-in-depth features for Office, and Adobe's latest Flash updates.