Today Microsoft released fixes for 79 separate security flaws, affecting products across much of their portfolio. Two of these have been seen exploited in the wild: CVE-2019-1214 and CVE-2019-1215 are both privilege elevation vulnerabilities affecting all supported versions of Windows, one in the log file driver and the other in the WinSock Installable File System (IFS) driver. Three other vulnerabilities had been publicly disclosed before today. Two of them (CVE-2019-1235 and CVE-2019-1253) also allow privilege elevation on Windows systems, and CVE-2019-1294 is a secure boot bypass on Windows 10 and Server 2019 systems. An attacker able to gain physical access to a system could exploit certain debugging functionality and access protected kernel memory.

Remote Desktop Protocol (RDP) vulnerabilities have been top of mind for many security practitioners lately, with a public exploit for the "wormable" BlueKeep vulnerability from May (CVE-2019-0708) released late last week and seven other RDP flaws patched with August's updates. This month, four new RDP vulnerabilities, all allowing Remote Code Execution (RCE) and considered Critical, were patched. In a slight twist, these are all client-side vulnerabilities, where if a system connects to a malicious server an attacker would be able to execute code on the connecting client. A user would have to somehow be convinced to connect such a server, either via social engineering or by using something like a DNS poisoning attack. The identifiers for these vulnerabilities are CVE-2019-0787, CVE-2019-0788, CVE-2019-1290, and CVE-2019-1291. The latter two affect all supported versions of Windows, while the former two are limited to non-Server editions of Windows.

Products other than Windows that had patches released today include Office, .NET Framework, Internet Explorer, Edge, Visual Studio, Skype for Business, Lync Server 2013, Exchange Server, Team Foundation Server, and SharePoint. When it comes to prioritization, operating system and browser patches should be applied as soon as possible, followed by SharePoint Server, then Office and other server-side products. It's worth mentioning that two Adobe Flash vulnerabilities were also patched today (CVE-2019-8069 and CVE-2019-8070), both which are considered Critical and could allow arbitrary code execution.

Vulnerability Count by Component

Vulnerability Count by Impact

Vulnerability Count by Severity

CVSSv3 Base Score Distribution
Note: not all CVEs had CVSSv3 data available at the time of writing