Microsoft Releases Security Patches for Zero-Day Vulnerabilities in Windows and Office
Microsoft has recently addressed security vulnerabilities in Windows and Office that have been actively exploited by hackers to gain unauthorized access to users’ computers. These exploits are classified as one-click attacks, meaning that hackers can easily deploy malware or infiltrate a victim’s system with minimal user interaction. Several vulnerabilities allow hackers to manipulate users into clicking on malicious links or opening infected Office files.
The vulnerabilities in question are commonly referred to as zero-days, indicating that hackers were already taking advantage of these security flaws before Microsoft could develop fixes. Details on how to exploit these bugs have been made public, potentially increasing the risk of cyber attacks. Microsoft credited security researchers from Google’s Threat Intelligence Group for their assistance in identifying these vulnerabilities.
One of the identified bugs, known as CVE-2026-21510, affects the Windows shell, which serves as the user interface for the operating system. This bug impacts all supported versions of Windows and allows hackers to bypass Microsoft’s SmartScreen feature, which typically screens for malicious links and files. Security expert Dustin Childs highlighted the severity of this bug, noting that it could be exploited to remotely install malware on a victim’s computer.
Another critical vulnerability, tracked as CVE-2026-21513, was discovered in Microsoft’s proprietary browser engine, MSHTML, utilized in the now-obsolete Internet Explorer browser. Despite the discontinuation of Internet Explorer, this engine is still integrated into newer Windows versions for compatibility purposes. This bug enables hackers to circumvent Windows security features and deploy malware on targeted systems.
In addition to these zero-day vulnerabilities, Microsoft also addressed three other actively exploited bugs in its software. These security patches are crucial in mitigating the risks posed by malicious actors seeking to compromise users’ systems for various nefarious purposes.
