December’s Microsoft security updates were published Tuesday, the 11th. There were seven patches, predominantly regarding remote code execution in Office, Windows, and IE.
In Internet Explorer there were critical vulnerabilities, the worst of which, caused by a user going to a malicious site, would allow a remote code execution, and has the potential to give the attacker the same permissions as the user. Another patch, this one for all supported releases of Microsoft Windows, addressed the way that that Window’s kernel-mode drivers were handling objects in memory, in regards to vulnerabilities that could allow remote code execution by someone opening a specifically made document or going to a webpage that embeds TrueType or OpenType font files. Both require a restart.
There was also a critical vulnerability within Microsoft Word that could allow an attacker to gain the same rights as a user if the user opened a specially crafted RTF file or previewed/opened a specially crafted RTF email message in Outlook if Microsoft Word is the email viewer, triggering a remote code execution action. This is an interesting and particularly worrisome issue, because it doesn’t require any sort of interaction from the user. They wouldn’t have to actually click on anything for this exploit to take place within Outlook, which would make it even easier for an attacker to get the rights of the user. This particular update is considered critical for all editions of Word 2010 and 2007. It’s rated important for all supported editions of Word 2003, Word Viewer, Office Compatibility Pack, and Microsoft Office Web Apps.
It’s recommended that users check the update in order to find more information on the full list of patches available this month, as well as specifics regarding what software is affected by these vulnerabilities.