Microsoft issued the December 2018 Security Updates that include 39 unique vulnerability fixes, 9 of them rated critical.
The updates address multiple Microsoft products to include, but not limited to: Windows, Edge, Office, Office Services and Web Apps, ChakraCore, .NET Framework, Exchange Server, Microsoft Dynamics NAV, Microsoft Visual Studio and Windows Azure Pack (WAP).
According to Microsoft, attackers are exploiting a Windows Kernel Elevation of Privilege Vulnerability (CVE-2018-8611), rated as Important.
“An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft noted in the advisory.
Another Windows patch fixes Windows DNS Server Heap Overflow remote code execution (RCE) vulnerability (CVE-2018-8626) that’s currently under active attack, according to Trend Micro. Attackers could exploit this bug and send malicious requests to a Windows DNS server.
Also, a number of workstation related vulnerabilities could be exploited via browsers or opening up malicious files.