As this is the second Tuesday of the month, otherwise known as Patch Tuesday, there is a security update available for Windows that fixes dozens of flaws. One of them is a critical vulnerability in WordPad and Office that could allow a remote attacker to install malware on your machine.
"A remote code execution vulnerability exists in the way that Microsoft Office and WordPad parse specially crafted files. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft explains (opens in new tab).
What's also interesting here is that you won't find that tidbit in a security bulletin, as would have been the case for every Patch Tuesday prior to today. That's because Microsoft has introduced a new format for these updates in which it now provides details about its patch through its "Security Update Guide (opens in new tab)."
Now everyone is a fan of the new format. The Register (opens in new tab) complains that the new system "merely obfuscates discovered vulnerabilities and fixes," and called it "cowardly" in Microsoft's part to bury critical fixes in the new format, including the WordPad patch. Likewise, Zero Day Initiative called it "confusing (opens in new tab)."
Our take is that it's...different. It takes a bit of digging/clicking to see which flaws are critical, and that's certainly annoying, but the information is still there.
In this case, the Patch Tuesday update contains a laundry list of CVEs in Edge, Internet Explorer, Windows, Office, Visual Studio for Mac, Silverlight, and .NET Framework. If you want to view which ones are marked as Critical, go here (opens in new tab) and click the Severity checkbox at the top, then click the new Severity column.