Microsoft has made available two separate security patches that fall outside of its regularly scheduled monthly updates. These emergency patches fix a zero-day flaw in Internet Explorer and a critical issue in its Windows Defender antivirus software that is built into Windows.
Starting with the former, the IE bug (and accompanying patch) is listed as CVE-2019-1367. It is a remote code execution flaw, and if left unpatched it could allow an attacker to run malicious code on a victim's machine.
"In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email," Microsoft explains.
That's pretty much the definition of a phishing email, and it serves as a reminder to be cautious of clicking on links in emails—it's typically better to type out a URL in your browser to avoid being duped.
If this bug is exploited, an attacker could gain the same user rights on a victim's machine as the owner and essentially take full control of the PC. The attacker could then view and siphon personal data, delete files, install malware, and so forth. It affects multiple versions of Windows, including Windows 10, 8.1, 7, and various Server builds.
The other vulnerability (and patch) is detailed in CVE-2019-1255. It's listed as a denial-of-service (DoS) flaw in Windows Defender, and if exploited an attacker could "prevent legitimate accounts from executing legitimate binaries." The applications would stop working, in other words, leaving an affected PC unprotected. This one also affects Windows 10, 8.1, 7, and some Server versions.
It is somewhat rare for Microsoft to release out-of-band security patches, which are those that fall outside of its Patch Tuesday rollouts (bundled security updates that arrive on the second Tuesday of every month). However, Microsoft does do this on occasion, depending on the severity of the situation.