The Microsoft flaws join a rash of zero days disclosed over the past week by various companies, including Apple, Google and Adobe.
Meanwhile, two exploited Exchange flaws that publicly emerged two weeks ago were not addressed in Microsoft’s update.
The vulnerability in the Windows Common Log File system could allow an authenticated attacker to execute code with elevated privileges.
Attackers were attempting to exploit the flaw to distribute the Emotet, Trickbot and Bazaloader malware.
The Exchange Server flaw is one of 55 vulnerabilities fixed in Microsoft's Patch Tuesday update.