Patch Tuesday for July 2019 is on the heavier side as far as they go, with Microsoft fixing 77 vulnerabilities in total. Microsoft also published an advisory describing a
cross-site scripting vulnerability in the on-premise edition of Outlook for web (previously known as Outlook Web App), but instead of issuing a fix they are telling administrators to mitigate it by blocking SVG files via a policy setting.

CVE-2019-0785, a remote code execution (RCE) in Windows DHCP Server, is most critical to patch. However, it only affects DHCP servers that are configured to run in failover mode so shouldn't be very prevalent in most environments.

The mix this month includes two vulnerabilities that have already been seen exploited in the wild, both of which allow local privilege elevation. CVE-2019-0880 is a flaw in the Windows print spooler process that affects all supported versions of the OS later than Windows 7. CVE-2019-1132 is in the Win32k component and is being used to target older versions (Windows 7, as well as Server 2008 and 2008 R2).

Separate from these 0-days, six vulnerabilities were publicly disclosed prior to today, all of which were ranked as having "Important" severity (this means at least some level of user interaction is required to successfully exploit them). One of these, CVE-2019-0887, is a new remote code execution (RCE) vulnerability in Remote Desktop Services (RDS). An attacker with access to a system running RDS when a user connects to it can exploit a flaw in the clipboard redirection feature in order to execute code on the user's system.

Although the Microsoft Graphics Component is no stranger to vulnerabilities, it's overrepresented this month with a total of 21 CVEs (11 of which are RCE), outpacing both the browser and OS vulnerabilities that were fixed. Many of these are specifically in DirectWrite, a text layout and rendering API, and can be exploited by convincing a user to open a specially crafted document or visit a malicious webpage.

Plenty of server software got updated today as well, with fixes published for Exchange, SharePoint Server, and SQL Server.

Vulnerability Count by Component

Vulnerability Count by Impact

Vulnerability Count by Severity

CVSSv3 Base Score Distribution
Note: not all CVEs had CVSSv3 data available at the time of writing