The issue is that Outlook decided it would be a smart idea when previewing an email to download any hosted Object Linking and Embedding (OLE).
The mail client was authenticating itself if the content was hosting on a SMB/CIFS server.
If the aforementioned SMB server was in the hands of the Naughty People, then they would instantly get hold of your log in username and (hashed, but not salted) password. You had to do nothing except preview the email.
Realistically, most Outlook users are not likely to have much of a password, so it wouldn’t have been too much effort to deal with the hash.
The vulnerability was initially reported in 2016 by Will Dormann of CERT and yes, your maths is right. It’s taken MS 18 months to sort.
However, the patch doesn’t really fix everything. If you want to lock your doors, then obviously run the patch (d’oh) then block SMB connections by blocking 445, 137, 139, 137 and 139. Nice.
So yet again, we advice you to use a password manager and use it to create super strong passwords.