Microsoft just provided advance notice of the patches scheduled to be released on Tuesday, December 9. The details as they are currently known are available at https://technet.microsoft.com/library/security/ms14-dec
There are a total of seven bulletins to be released. Three of which are designated as CRITICAL and the remaining four are designated as IMPORTANT. At least one of the CRITICAL bulletins applies to all current versions of Internet Explorer. Other bulletins designated as CRITICAL apply to Microsoft Exchange and also to Office 2007, 2010 and 2013 applications. Considering the scope of the patches for December, it is likely workstations should be patched as soon as possible.
Additional details will be provided once the patches are released to the public at approximately 12 (noon) central time, 10 a.m. pacific time on 12/9.
Update December 9 1:45 p.m.
Microsoft has just released the patches for December 2014. As previously indicated, there are a total of seven bulletins released for December 2014. Three of the bulletins are classified as CRITICAL and the remainder are classified as IMPORTANT. Bulletins classified as CRITICAL apply to all versions of Internet Explorer, Microsoft Office and Microsoft Windows.
The Internet Explorer vulnerabilities (see https://technet.microsoft.com/library/security/MS14-080 ) patched in the December bulletins address fourteen privately reported vulnerabilities in all versions of Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if the user views a specially crafted web page using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user.
The Microsoft Office vulnerabilities (see https://technet.microsoft.com/library/security/ms14-081 ) patched in the December bulletins apply to all supported versions of MS-Word in Microsoft Office for Windows, MS-Office for Macintosh 2011, Microsoft Word Viewer, all versions of Microsoft SharePoint, and Microsoft Office Web Apps 2010 and 2013.
The Windows vulnerability (see https://technet.microsoft.com/library/security/ms14-084 ) patched in the December bulletins address a single privately reported vulnerability in the VBScript (Visual Basic Script) scripting engine in Windows. The vulnerability could allow remote code execution if the user visits a specially crafted website. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The vulnerability is classified as MODERATE for VBScript scripting engine on Windows Server systems.
The Exchange vulnerabilities (see https://technet.microsoft.com/library/security/MS14-075 ), released in the December bulletins while not classified as CRITICAL, address four privately reported vulnerabilities in Microsoft Exchange server. The most severe of the vulnerabilities could allow an elevation of privilege if a user clicked on a specially crafted URL that directed them to a targeted Outlook Web application site.
Also, while not classified as CRITICAL by Microsoft bulletins https://technet.microsoft.com/library/security/ms14-081 and https://technet.microsoft.com/library/security/ms14-082 apply to Microsoft Office and Excel and are designated as CRITICAL by SANS – https://isc.sans.edu/forums/diary/Microsoft+Patch+Tuesday+-+December+2014/19043
Additionally, Adobe has released the following security updates:
Cold Fusion version 10 and 11 – http://helpx.adobe.com/security/products/coldfusion/apsb14-29.html
Adobe Reader and Acrobat for Windows and Macintosh – http://helpx.adobe.com/security/products/reader/apsb14-28.html (version 10.1.13 and 11.0.10)
Adobe Flash for Macintosh, Windows, Google Chrome and Internet Explorer – http://helpx.adobe.com/security/products/flash-player/apsb14-27.html (version 22.214.171.124)
The Adobe patches are assigned a priority rating of 1, and address vulnerabilities that are either currently being targeted or have a higher risk of being targeted by exploits in the near future.
That being the case, it is recommended that the Microsoft and Adobe patches be applied to workstations systems as soon as possible and the Microsoft patches be applied to Exchange servers after appropriate testing has been completed.
Update December 15 8:15 a.m.
On Friday, December 12, Microsoft reissued the exchange patch (MS14-075) due to some problems experienced by some users who installed the patch early.