Microsoft released security updates to address zero‑day vulnerabilities in Windows and Office that hackers were actively exploiting to gain unauthorized access.
The exploits are one‑click attacks, allowing a hacker to plant malware or gain access with minimal user interaction. At least two flaws can be triggered by convincing a user to click a malicious link on a Windows computer; a third flaw leads to compromise when a user opens a malicious Office file.
Microsoft classified the vulnerabilities as zero‑days, meaning attackers exploited them before patches were available. The company said exploit details have been published, potentially increasing attack likelihood, but did not disclose the publication source. A Microsoft spokesperson did not immediately comment when contacted by TechCrunch.
In its bug reports, Microsoft acknowledged input from security researchers in Google’s Threat Intelligence Group, who helped discover the vulnerabilities.
One vulnerability, tracked as CVE‑2026‑21510, resides in the Windows shell that powers the operating‑system user interface and affects all supported Windows versions. When a victim clicks a malicious link, the bug bypasses SmartScreen, which normally screens links and files for malware.
Security expert Dustin Childs wrote that the bug can be used to remotely plant malware and noted that “there is user interaction here, as the client needs to click a link or a shortcut file,” adding that a one‑click code‑execution bug is rare.
A Google spokesperson confirmed that the Windows shell bug was under “widespread, active exploitation,” and said successful attacks could silently execute high‑privilege malware, posing a high risk of system compromise, ransomware deployment, or intelligence collection.
Another Windows bug, identified as CVE‑2026‑21513, exists in Microsoft’s proprietary MSHTML browser engine, which powers legacy Internet Explorer and remains in newer Windows releases for backward compatibility. The bug enables attackers to bypass Windows security features and plant malware.
Independent security reporter Brian Krebs reported that Microsoft also patched three additional zero‑day bugs that were being actively exploited.
The three additional zero‑day bugs, also actively exploited, were addressed in the same update cycle. Microsoft did not disclose identifiers or technical specifics, but confirmed that the patches close the vulnerabilities before further compromise.
The patches are distributed through Windows Update and Office Update services, ensuring rapid deployment to affected systems.
