One of the vulnerabilities, that allowed an attacker to circumvent a protection feature of Edge, was already publicly disclosed before a patch was released. However, the vulnerability was not actively abused.
The most critical vulnerabilities are in the scripting engine of Internet Explorer 11 and Edge. Simply visiting a malicious or hacked website, or viewing an infected advertisement, was sufficient for an attacker to execute random code. Also, through vulnerabilities in Microsoft Office and Outlook it was possible to execute random code, but a user first had to open a malicious file.
Microsoft also patched vulnerabilities in the Windows kernel, Microsoft Office and the Windows Embedded OpenType Font Engine. These vulnerabilities could be used to retrieve information, elevate privileges or cause a Denial of Service (DOS).
On most Windows system the update are automatically installed. Users can also manually install them from the Microsoft Update Catalog.