A remote code execution vulnerability exists in Windows Input Method Editor (IME) when IME improperly handles parameters in a method of a DCOM class.The DCOM server is a Windows component installed regardless of which languages/IMEs are enabled. An attacker can instantiate the DCOM class and exploit the system even if IME is not enabled.To exploit this vulnerability, a locally authenticated attacker could run a specially crafted application.The security update addresses this vulnerability by correcting how Windows IME handles parameters in a method of a DCOM class.