As reported by ARS Technica, this includes a Word vulnerability that allowed attackers to infect up-to-date Windows 10 systems with malware. All that was required was the opening of an infected Word file. The second vulnerability that's exploited in the wild involves Internet Explorer, it's an elevation-of-privilege bug that allows attackers to access sensitive information from one domain and inject it into another address.
There's also a third zero-day vulnerability that targets a flaw in the Encapsulated PostScript (EPS) of Office. Microsoft did not have a patch available in time for this month's Patch Tuesday cycle but decided to roll out a workaround that disables EPS by default:
The third zero-day also resides in Office 2016, 2013, and 2010 and isn't actually being patched in Tuesday's update batch. According to guidance for the flaw: "Microsoft is aware of limited targeted attacks that could leverage an unpatched vulnerability in the [Encapsulated PostScript] filter and is taking this action to help reduce customer risk until the security update is released." The flaw is exploited when a target opens a malicious EPS image in Word.