icetray - Fotolia
Microsoft may appear to end 2014 on a light note, but the security updates in this month's Patch Tuesday cycle still pack quite a punch.
After November's monstrous batch of security updates, Windows Server admins will have seven security updates to implement in December. Three updates are marked as critical and four as important.
All three critical updates address remote code execution vulnerabilities. One of these updates addresses 14 reported vulnerabilities in multiple versions of Internet Explorer (IE), which could be exploited if end users visit a malicious web page through IE.
The other critical updates address vulnerabilities in multiple versions of Microsoft Word and Microsoft Office Web Apps as well as the VBScript scripting engine. Two vulnerabilities in Word and Office Web Apps could be exploited if attackers convince end users to open a malicious file using affected versions of these programs.
Office received another important security fix for a remote code execution vulnerability, which could also be exploited in the same way as the Office critical update.
While it's unclear why there is distinction between the two bulletins, the criticality of them could rest on how exploitable the vulnerability is.
"In the past this distinction of having to open a file is a defensive mechanism," said Wolfgang Kandek, CTO of Qualys, Inc., a cloud security and compliance software provider based in Redwood Shores, Calif. "That's what you do with Word, you open a file. Those Office vulnerabilities are pretty serious." The vulnerability in VBScript, which affects multiple versions of Windows, could be exploited if end users visit a malicious website.
December's four important updates
The four important updates in this Patch Tuesday cycle address remote code execution, information disclosure and elevation of privilege vulnerabilities.
The information disclosure vulnerability affects a Microsoft graphics component in multiple versions of Windows. The vulnerability could be exploited if end users go to websites with malicious JPEG content.
The final important update addresses four elevation of privilege vulnerabilities affecting multiple versions of Exchange, which could be exploited if end users click on malicious URLs taking them to target Outlook Web App sites.
The complete list of updates and affected software can be found in Microsoft's security bulletin summary.
Reflecting on Microsoft's 2014 security record
November's Patch Tuesday was the largest of the year with a total of 14 security updates, but two updates meant for a Patch Tuesday release were pulled at the eleventh hour. One of those updates, MS14-068, critically affected multiple versions of Windows and was rolled out the week after Patch Tuesday. The other pulled update, MS14-075, was rolled out in this month's Patch Tuesday cycle.
Kandek noted a marked decrease in the number of bulletins Microsoft issued in the last year, but an increase in zero days from attackers.
"From our side we've had more work this year than in past years, [with] more to do and [having to be] quicker to react," said Kandek.