You have a strong incentive to upgrade quickly if you’re affected. The attack is known to have been used by hacking group Strontium for a low-intensity but targeted phishing campaign. It’s not certain that other organizations used the hole, but you likely don’t want to find out about new attacks first-hand.

The patch ends a brief but tumultuous episode between Google and Microsoft. Google published details of the flaw after learning that it was already being used for real-world attacks, but Microsoft criticized the move as irresponsible. It put users at “potential risk” by making it easier for malware writers, the Windows creator said. Whether or not that’s true, the question is whether or not the two sides are taking steps to minimize these issues in the future — ideally, any security disclosure comes with a patch ready and waiting.