These three flaws are remote code executions vulnerabilities in the Remote Desktop Client, .NET and Visual Studio, and a flaw in the Windows Fax and Scan service that can lead to escalation of privilege.
Commenting on the release, Claire Tills, senior research engineer at security shop Tenable, said: "This month's Patch Tuesday release includes fixes for 71 CVEs – three that are rated critical and three zero-days that were publicly disclosed but have not been exploited in the wild.
"Microsoft addressed CVE-2022-23277, a remote code execution vulnerability in Microsoft Exchange. Microsoft notes that an attacker must be authenticated to exploit this vulnerability.
Tills [right] added that Microsoft had also patched two remote code execution vulnerabilities in the Remote Desktop Client, both rated Exploitation More Likely.
"Both of these flaws require a user to connect to an attacker-controlled server from a vulnerable Remote Desktop Client in order to exploit the vulnerabilities," she said.
"One of these flaws, CVE-2022-23285, is credited to researchers at Sangfor, who also discovered several Microsoft vulnerabilities in the past, notably in Print Spooler.
"The other, CVE-2022-21990, is one of the three zero-days addressed in this month's release."
As is usual on Patch Tuesday, Adobe also released its list of vulnerabilities along with patches.
Announced were vulnerabilities in Adobe Illustrator and After Effects, with the former open to remove code execution through a buffer overflow that was rated "critical".
Four critical flaws were listed for After Effects, all being stack-based buffer overflows.