December continues this quarter's trend, 10 bulletins addressing remote code execution (RCE) vulnerabilities, while the remaining two address elevation of privilege. The vulnerabilities affect Internet Explorer (7 and onwards), Edge, Office, Silverlight, VBScript scripting engine and Windows (Vista and onwards). It is advisable for users and administrators to patch the affected platforms.

Microsoft released 12 security bulletins this month, two thirds of them rates as critical, resolving a total of 58 vulnerabilities. All of the critical bulletins (MS15-124, MS15-125, MS15-126, MS15-127, MS15-128, MS15-129, MS15-130, MS15-131) are remote code execution issues affecting a variety of products and platforms including Edge, Internet Explorer, Live Meeting, Lync, Office, Office for Mac, Office Web Apps, Silverlight, Skype, VBScript and all supported releases of Microsoft Windows.

Specifically, MS15-124, MS15-125 and MS15-128 are the bulletins to watch out for this month, addressing 33 vulnerabilities. Since a wide range of products are affected this month almost all Microsoft users should be on alert. Microsoft's update addresses the vulnerabilities by resolving underlaying issues with how certain functions in VBScript handle objects in memory, preventing cross site scripting (XSS) from incorrectly disabled HTML attributes, proper enforcement of content types and cross–domain policies.

From the bulletins released in December, the following vulnerabilities are know to have been exploited:

Users should be wary of untrusted sources as maliciously crafted content could allow an attacker to remotely execute code and gain the same rights as the user. Your best protection against these threats is to patch as quickly as possible. 

Resolved Vulnerability Reference: