There are 22 critical flaws this month, out of which no less than 18 affect browsers and scripting engines, with other 4 representing Remote Code Execution (RCE) vulnerabilities in key products like Remote Desktop and Word.
CVE-2019-0708 does not affect Microsoft's latest operating systems - Windows 10, Windows 8.1, Windows 8, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012.
The researchers from the universities in Australia, the United States, Belgium, Austria and CSIRO's Data 61 unit noted that newer Coffee Lake Refresh i9 processors are ironically enough more vulnerable to Fallout compared to older parts, due to Intel's countermeasures against the earlier Meltdown speculative execution information leak flaw. However, it has made fixes available for these systems as patch KB4500705.
Partial mitigation against the RDS vulnerability is possible with network-level authentication (NLA). An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system.
Usually support for such aging operating systems costs an arm and a leg, though Redmond has released a freebie because of the serious nature of the critical flaw, assigned CVE-2019-0708, in Remote Desktop Services, or Terminal Services as it was. These include CVE-2019-0725, a vulnerability in Windows Server's DHCP server.
A newly discovered vulnerability in the commonly used Remote Desktop Services (RDS) that can be abused to create worms or self-spreading malware has prompted Microsoft to create security patches for the obsolete Windows XP and Server 2003 operating systems.
While you're patching that, there's a lot of other stuff to fix in the Patch Tuesday update.
Microsoft also patched CVE-2019-0953, a remote code vulnerability in Microsoft Office which lets an attacker run code as the targeted user by persuading them to open a malicious file. As is traditional, Adobe dropped 86 flaw fixes, mainly in Reader and Acrobat, and Citrix, too, has one of its own.