First off, the big news for today's Patch Tuesday: Microsoft has fixed four new Remote Desktop Services (RDS) vulnerabilities, reminiscent of the BlueKeep vulnerability (CVE-2019-0708) that was patched last May. CVE-2019-1181 and CVE-2019-1182 both affect all supported versions of Windows, and can be exploited without any authentication or user interaction. This means that they are "wormable" and could potentially lead to a widespread infection such as the WannaCry epidemic of 2017. Security agencies from nation states around the world have been urging people to patch systems against BlueKeep for months now in the hopes of mitigating such an outbreak, and these new flaws bring the patching situation back to day 1. The only comparatively good news is that Windows XP, Windows Server 2003, and Windows Server 2008 are not affected, as they were with BlueKeep. Hopefully most administrators have already enabled Network Level Authentication (NLA) due to BlueKeep, but even with that mitigation in place remote code execution (RCE) is possible if an attacker has valid credentials. The other two similar vulnerabilities are CVE-2019-1222 and CVE-2019-1226, which only affect Windows 10 and Server 2019, but are not mitigated by enabling NLA. Blocking direct access to RDS (which typically runs on TCP port 3389) will help mitigate these vulnerabilities, and configuring Windows event log monitoring of RDP access and authentication attempts is also recommended. See this blog post for more details.
That leaves us with 89 additional CVEs that were patched by Microsoft today, the most in a single month since June 2017. 33 of these also allow RCE, and the majority are considered Critical. The really bad looking ones are DHCP-related, with CVE-2019-1212 (all supported versions of Windows) and CVE-2019-1213 (Server 2008) affecting DHCP Servers, and CVE-2019-0736 affecting DHCP clients on all supported versions of Windows. None of the vulnerabilities Microsoft patched today have been seen exploited in the wild or were previously disclosed to the public, but as always it is just a matter of time before we see these being used by attackers.
Several of the usual suspects that typically get patched, such as Adobe Flash and .NET, got the month off. However, browsers, Office, SharePoint Server and Dynamics also got patched today. Microsoft also released new guidance for LDAP on Active Directory domain controllers (ADV190023), recommending a new set of default configurations that make the domain controllers resilient to potential elevation of privilege vulnerabilities. Administrators should make sure they're patched against all of these once any RDS and DHCP exposure in their environments has been addressed.
Note: not all CVEs had CVSSv3 data available at the time of writing