Today's Microsoft updates resolve over 70 vulnerabilities, most of which affect the Windows operating system itself. Two of the vulnerabilities are already being exploited in the wild. Both CVE-2019-0803 and CVE-2019-0859 can result in unauthorized elevation of privilege, and affect all supported versions of Windows.

An attacker must already have local access to an affected system to use these to gain kernel-level code execution capabilities. However, one of the 32 Remote Code Execution (RCE) vulnerabilities patched today could potentially be used with them in an exploit chain to obtain full control of a system.

Aside from these zero-day privilege escalation flaws, it's a fairly standard Patch Tuesday. Which of course still means that there are bugs that should be patched as soon as possible, such as the 8 vulnerabilities classified as Critical in the scripting engine used by Microsoft browsers, and CVE-2019-0822 (an RCE in Microsoft Office that can be exploited by convincing a user to open a malicious file).

On the server side, CVE-2019-0831 is a cross-site scripting (XSS) vulnerability in SharePoint Server, potentially allowing an attacker to gain unauthorized access to certain content or perform actions on the site using the victim's identity. Fixes for two Spoofing attacks against the Outlook Web Access (OWA) component of Microsoft Exchange Server were also released today. Software development shops should also take note of the multiple XSS vulnerabilities and HTML injection that were fixed in Team Foundation Server.

Today Adobe also released fixes across several products, including Flash, Reader, and an update that resolves seven critical memory corruption vulnerabilities in Shockwave Player, the same day they ended support for it.

Vulnerability Count by Component

Vulnerability Count by Impact

Vulnerability Count by Severity

CVSSv3 Base Score Distribution
Note: not all CVEs had CVSSv3 data available at the time of writing