Microsoft’s December Patch Tuesday brings seven advisories, three of which are critical.
There are 24 CVEs and not 25 because one of the Internet Explorer CVEs in MS14-080 overlaps with the VBScript CVE in MS14-084.
Of the critical issues, MS14-080 has the broadest scope, with 14 CVEs. None of which are publicly disclosed or known to be under active exploit.
The shared CVE with the critical MS14-084 presents a patching and detection challenge because exactly which patch you get will depend on the configuration of your system and the version of IE. Systems without IE will only get the MS14-084 patch. Systems with IE 8 and older will get the MS14-080 and the MS14-084 patch. Systems with IE 9 or later will not get the MS14-084 patch because the issue ends up addressed by the MS14-080 patch.
MS14-081 is also critical. In most cases this type of issue would only be important, because typically a document format use-after-free issue requires user interaction to exploit, but in this case because of the potential for exploitation through SharePoint Web Apps the risk is greater.
MS14-075 covers 4 CVEs in all supported versions of MS Exchange. This patch addresses two Outlook Web Access Cross Site Scripting issues, a web application token spoofing issue, and an issue with Exchange URL redirection. Even though only tagged important, the presence of MS Exchange on the perimeter and the potential for this type of attack to combine with stolen credentials and other malicious behavior will make it a patching priority.
The Important Windows issue (MS14-085) is an Information Disclosure vulnerability in Microsoft Graphics component affecting all support OS versions. This vulnerability would allow a maliciously crafted JPEG file to end up used to help predict memory offsets in a given callstack. This vulnerability has gone public, and although not known to be in active attack, could be flying under the radar as this is something only used in conjunction with other attacks to make them more effective.
Top patching priority will be the MS14-080 & MS14-084, followed by MS14-081 and then MS14-075.