14 DAY TRIAL // With its December Patch Tuesday, Microsoft fixed thirty-nine security issues rated as Critical and Important with at least one of them being actively exploited in the wild at the moment the security patches were released.
Out of the thirty-nine security fixes, nine of them were rated as Critical, and six of these, tracked as CVE-2018-8583, CVE-2018-8617, CVE-2018-8618, CVE-2018-8624, CVE-2018-8634, and CVE-2018-8629 are memory corruption vulnerabilities impacting the Chakra scripting engine.
Potential remote attackers could execute code on machines vulnerable to these six issues following successful exploitation by persuading users to click specially crafted content on websites controlled by the actors or to visit maliciously crafted web pages using Microsoft's Edge browser.
Three other Critical security issues tracked as CVE-2018-8540, CVE-2018-8626, and CVE-2018-8631, are remote code injection vulnerabilities in the Microsoft .NET framework, as well as remote code execution vulnerabilities in Windows DNS servers and in Internet Explorer respectively.
Machines affected by the Microsoft .NET framework remote code injection vulnerability could allow potential attackers to take control of the system after providing specially crafted input to apps using vulnerable .NET methods.
Twenty-nine of the vulnerabilities fixed in December's Patch Tuesday are rated as Important
The two remote code execution issues affecting the Windows DNS servers and Internet Explorer could allow possible attackers to run arbitrary code on impacted systems in the context of the currently logged in user.
According to Microsoft's Vulnerability Severity Classification for Windows, security issues are rated as Critical for "Network Worms, or unavoidable common browsing/use scenarios where client is compromised without warnings or prompts."
Microsoft also fixed twenty-nine vulnerabilities rated as Important which could lead to remote code execution and impacting multiple software products ranging from Microsoft Office programs to Internet Explorer' VBScript engine.
On the whole, Microsoft's December security release provides updates for security issues affecting Adobe Flash Player, Internet Explorer, Microsoft Edge, Microsoft Windows, Microsoft Office and Microsoft Office Services and Web Apps, ChakraCore, .NET Framework, Microsoft Dynamics NAV, Microsoft Exchange Server, Microsoft Visual Studio, and Windows Azure Pack (WAP).