Microsoft issued the December 2018 Security Updates that include 39 unique vulnerability fixes, 9 of them rated critical.
The updates address multiple Microsoft products to include, but not limited to: Windows, Edge, Office, Office Services and Web Apps, ChakraCore, .NET Framework, Exchange Server, Microsoft Dynamics NAV, Microsoft Visual Studio and Windows Azure Pack (WAP).
According to Microsoft, attackers are exploiting a Windows Kernel Elevation of Privilege Vulnerability (CVE-2018-8611), rated as Important.
“An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft noted in the advisory.
Another Windows patch fixes Windows DNS Server Heap Overflow remote code execution (RCE) vulnerability (CVE-2018-8626) that’s currently under active attack, according to Trend Micro. Attackers could exploit this bug and send malicious requests to a Windows DNS server.
Also, a number of workstation related vulnerabilities could be exploited via browsers or opening up malicious files.
See the Security Update Guide and December summary release notes for more details on all patches.