Microsoft has rolled out updates that fix a swathe of vulnerabilities across its product. Part of its May 2019 patch Tuesday cycle, the 16 patches critical flaws and remote code execution across Office, .NET Framework, Skype, SQL Server, and more.
22 of those flaws are critical ones, with 4 remote code executions and 18 affecting browsers and scripting engines. One of the most high profile is CVE-2019-0863, and escalation of privilege in Windows Error Reporting that attackers have been exploiting in the wild.
Microsoft is also fixing issues on Android with Skype, where a flaw let attackers stealthily listen in on a conversation. By calling a device with Skype installed and paired with a Bluetooth device, they could piggyback on the call.
Other bugs affect Adobe Flash Player, Team Foundation Server, Visual Studio, .NET Core, Chakra Core, Azure, and more. Many are at level 2 or lower, which means they’re unlikely to be exploited.
This includes an RCE flaw found in Microsoft Word. In it, attackers could craft a file to take advantage of Word’s failure to properly handle objects in memory. Users would have to download a file or click a link to exploit the user.
However, due to the high number of critical flaws, users should still update immediately. Separately to these issues, Microsoft has issued an emergency patch for older Windows releases, including XP. Due to its wormable nature, the vulnerability can spread from one device to another. Those on Windows 7 or below, including Server variants, can read more detail here.