Microsoft issued the February 2019 Security Updates that include nearly 74 unique vulnerability fixes, 20 of them rated critical.
The updates address multiple Microsoft products to include, but not limited to: Windows, Edge, Office, Office Services and Web Apps, ChakraCore, .NET Framework, ASP.NET, Exchange Server, Azure IoT SDK, and Microsoft Visual Studio.
One of the security updates addresses an Exchange Server Elevation of Privilege 0-day Vulnerability CVE-2019-0686.
Security experts said earlier this month that an attacker could exploit this vulnerability to gain domain administrator privileges if they have access to Exchange mailbox credentials AND can communicate to both an Exchange server and Windows domain controller.
Another Exchange vulnerability patched in this update was CVE-2019-0724.
“Exploitation of this vulnerability requires Exchange Web Services (EWS) and Push Notifications to be enabled and in use in an affected environment. To exploit the vulnerability, an attacker would need to execute a man-in-the-middle attack to forward an authentication request to a Microsoft Active Directory domain controller, thereby facilitating gaining of increased privileges on the domain controller,” Microsoft noted in the advisory.
Also, a number of workstation related patches address critical vulnerabilities in Microsoft browsers.
See the Security Update Guide and February summary release notes for more details on all patches.