An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights, said the company in an advisory. The attacker would have to send a specially crafted message to the Windows Search service. An attacker could then elevate privileges and "take control of the computer," the advisory said.
It added that an unauthenticated attacker in an enterprise setting could remotely trigger the flaw through an SMB connection, which Trend Micro researchers said in a blog post is "pretty close to wormable," referring to its spreadability.
Although technical details or a proof-of-concept have not been made public and it is not known to be under active exploitation by an attacker, the company warned that there is a "more likely" chance of a future attack.
Another "critical" remote code execution flaw in the legacy JET database engine could allow an attacker to take full control of a computer.
An attacker would likely have to trick a user into opening a malicious database file from an email, the company said, as part of a spearphishing campaign.
The company said that the privately-disclosed bug was "unlikely" to be exploited.
The software giant released patches for 46 other vulnerabilities as part of its regularly scheduled Patch Tuesday set of security fixes. More than half of the vulnerabilities listed are rated "critical."
August's patches are available through Windows Update.