The vulnerability, CVE-2019-0708, is in remote desktop services (a k a terminal services). To exploit the vulnerability "an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP," Microsoft officials noted. The update corrects how Remote Desktop Services handles connection requests.
The vulnerability -- which Microsoft officials said they haven't yet seen exploited -- doesn't affect Windows 8.1 or 10 (or Server variants starting with 2012), but it does affect Windows 7, Windows Server 2008 and 2008 R2, along with the previously mentioned Windows variants. The patches for XP and 2003 are here.