Can't speak for others, but this one is a fairly obvious vulnerability for someone who's in this field - similar bugs have existed back in the day in web browsers, and even somewhat recently on other platforms like Android (messages app) etc. Basically anything that displays clickable links, or renders web content etc - there's a high probably of there being a vulnerability, you just need to test a few well-known scenarios (and there are automated test suits for these things too).

The moment Microsoft started adding crap to Notepad, we knew that it was only a matter of time before such a vulnerability cropped up.