[frollogaston]

A lot of these are non-exe files, like images/video, crafted to execute arbitrary code through some bug in outdated software that opens them. Could be a web browser or something else. It does take a while for an OS to be so old that browsers don't support it anymore, but sufficiently old ones are vulnerable to known spectre exploits breaking out of the JS sandbox for example. Or random other browser features can be exploited.

Also, Wannacry is a good example of a LAN attack reaching further than you might expect. Or there are various conditional ways to breach the NAT, one of them simply being NATless ipv6 with a misconfigured firewall.

Microsoft might bluff a bit and actually backport fixes for very serious issues, like how Wannacry was patched all the way back to XP. Maybe Win10 is fine for several years, but the real problem is that you don't know how vulnerable you are with each passing year.

[1231231231e]

With outdated browsers it does make senese. A bit more surprising is the image or video decoding exploit, considering that I'd assume those would usually be done in hardware rather than by some userspace or OS level code.

[frollogaston]

Hardware transcoding still involves software, plus the hardware itself can be vulnerable. It's not meant to act as security. But anyway, it's also very hit-or-miss. The drivers need to support it, and even then the software might not use it.

One random thing that ticks me off, Google Meet insists on using VP8/VP9 because they invented it, which has way less overall support for hardware transcoding. That's why it uses so much more CPU on many devices than Zoom etc which use the more common H.264.