Microsoft has patched 25 software vulnerabilities – including bugs that allow hackers to hijack PCs via Internet Explorer, Word and Excel files, and Visual Basic scripts.
Everyone is urged to install the fixes, as well as a batch of updates from Adobe: a flaw in the Flash plugin is already being exploited by hackers to take over victims' computers via the web.
Microsoft said its December's edition of Patch Tuesday includes critical fixes for Windows, Office and Internet Explorer as well as a patch for Exchange. The full list is as follows:
- MS14-80: Addresses 14 security flaws in Internet Explorer, including various remote-code execution vulnerabilities and an ASLR bypass. The patch is considered a low risk for Windows Server systems, but critical for desktops, laptops and tablets. All the flaws were privately reported, and credit was given to various independent researchers as well as the HP Zero Day Initiative, Qihoo 360 and VeriSign iDefense Labs.
- MS14-81: Two vulnerabilities in Word and Office Web Apps that allow an attacker to remotely execute code on targeted systems if the victims open booby-trapped documents. This update also applies to users running Office for Mac. Credit was given to Google Project Zero researcher Ben Hawkes, who privately reported the flaws to Microsoft. Rated as Critical.
- MS14-84: A remote-code execution vulnerability (CVE-2014-6363) in the Windows VBScript engine can be exploited via a specially crafted webpage. Credit for discovery was given to SkyLined and VeriSign iDefense Labs. Rated as Critical.
- MS14-82: A remote-code execution flaw in Office can be exploited by opening a specially crafted document file. Credit for discovery was given to Ben Hawkes. Rated as Important.
- MS14-83: Two remote-code execution vulnerabilities in Excel can be exploited by opening a specially crafted spreadsheet file. Discovery was credited to Ben Hakwes via Google Project Zero. Rated as Important.
- MS14-75: A set of four flaws in Exchange, including an elevation of privilege vulnerability. Researchers Jason Tsang Mui Chung, Adi Ivascu, John Koerner and Nokolay Anisenya were credited with reporting the flaws. Rated as Important.
- MS14-85: A vulnerability in the Windows graphics system that could allow a malformed JPEG image to let an attacker read off sensitive system information – such as where various components are loaded in memory. The vulnerability was spotted by Google researcher Michal Zalewski and was publicly disclosed prior to release of the patch. Rated as Important.
In addition to the Microsoft security releases, Adobe has pushed out its own monthly security fix for flaws in Flash, Reader, Acrobat and ColdFusion.
The Flash update addresses six CVE bugs including remote-code execution flaws – one of which is being exploited in the wild. The Reader and Acrobat patch addresses 20 CVE entries including remote-code vulnerabilities, and the ColdFusion patch addresses one security vulnerability allowing for denial of service attacks.
Users are advised to update their Adobe software for Windows, Linux and OS X. ®