Black Tuesday Dec. 2006
I know this is a bit after the fact; I blame Canada.
As always, Microsoft's official overview can be found here.
ISC's gridtastic overview can be found here.
But as always, I'm just highlighting the client-side type exploits, so you can see the above to see everything. It turns out they're almost all client-side vulnerabilities thought.
MS06-072 (Critical) is a cumulative update for IE (6 and below, not 7), and is primarily comprised of issues which were not previously known or public. CVE-2006-5579 is an issue with JavaScript which can cause multiple errors simultaneously and then subsequently access previously freed memory. This can potentially lead to remote code execution. CVE-2006-5581 pertains to the "inproper use of the normalize() function" (advisory) in DHTML which can allow a user to execute arbitrary code. CVE-2006-5578 and CVE-2006-5577 are both information disclosure vulnerabilities related to Temporary Internet Files (TIFs), however MS rates the former as "Important" and the latter as "Moderate." What's interesting about these is that the second one can be used to learn the path of a TIF and then that path can be used by the first one which can access (i.e. retrieve via a malicious website, if the name is known) arbitrary TIF files.
MS06-073 (Critical) I don't think I need to say too much about this, because I already covered it here when it came out.
MS06-078 (Critical) deals with 2 Windows Media Player flaws. CVE-2006-4702 is a buffer overflow in .asf files which can lead to arbitrary code execution in WMP 6.4. CVE-2006-6134 is a heap-overflow in the core DLL for WMP 10 which deals with .asx files.
MS06-076 (Important) is single unspecified vulnerability in Outlook Express whereby an attacker can create a malicious Windows Address Book (WAB) file. This can lead to code execution, however it appears the user has to manually open up the WAB file in order to trigger it, hence its lowered severity rating. This issue is CVE-2006-2386.
To see previous month's patches which pertained to client-side security, you can use the BlackTuesday tag below.
