Cumulative Security Update for Internet Explorer (961260)
This security update resolves two privately reported vulnerabilities. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution (959239)

This security update resolves two privately reported vulnerabilities in Microsoft Exchange Server. The first vulnerability could allow remote code execution if a specially crafted TNEF message is sent to a Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could take complete control of the affected system with Exchange Server service account privileges. The second vulnerability could allow denial of service if a specially crafted MAPI command is sent to a Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could cause the Microsoft Exchange System Attendant service and other services that use the EMSMDB32 provider to stop responding.

Extreme Tech :
A few months ago Microsoft started including an “Exploitability Index” value to show how easy it should be to construct a successful attack using the vulnerability they were disclosing. In many cases, a vulnerability may be critical because the consequences of it being exploited are serious, but in fact it is not so easy to exploit.

Monday’s Internet Explorer vulnerabilities were give an Exploitability Index value of 1, which translates to “Consistent exploit code likely.” Microsoft adds the note “Consistent exploit code can be crafted easily.” See the summary and click on Exploitability Index for all this. For some reason, Microsoft does not include these Exploitability Index values in the individual security bulletins, such as the one for Internet Explorer yesterday.

What this means is that you can expect, or at least you should assume, that attack code to exploit this vulnerability will be on the Internet very soon. It will be pushed through all the usual channels, some of which are hard to avoid, such as ad banners.