Microsoft released security advisory MS15-131 on Dec. 8, documenting critical vulnerabilities in some Office products. In addition to five memory corruption flaws, a remote code execution vulnerability exists that can be exploited by attackers without the user taking any action other than previewing an email in Outlook.
A fix is available for all Windows and Windows-based software; the Global Configman service is working to push these updates as soon as possible. Microsoft Office for Mac 2011 and 2016 fixes are not yet available; they will be released as soon as possible. The current suggested workaround is to disable previewing messages in Outlook.
Additionally, Microsoft released security advisory MS15-135 documenting a critical vulnerability in Windows Kernel-Mode drivers. If successfully exploited, the vulnerabilities can lead to an elevation of priviledge for an attacker if they are able to log onto a vulnerable system and execute specially written code.
Though this advisory is rated "Important" and not "Critical" by Microsoft, they note that an exploit for one of the four vulnerabilities in the report -- CVE-2015-6175 -- has been detected in the wild. Be aware that aside from applying the Windows Updates there are no currently known workarounds or mitigating factors for these vulnerabilities.
The Global ConfigMgr service is working to push these updates as soon as possible.
Further reading:
MS15-131
- https://technet.microsoft.com/en-us/library/security/MS15-131
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6040
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6118
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6122
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6124
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6177
MS15-135