Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Microsoft has rolled out fixes for vulnerabilities in Windows and Office, which the company says are being actively abused by hackers to break into people’s computers.
The exploits are One-click attacksWhich means a hacker can plant malware or gain access to a victim’s computer with minimal user interaction. At least two flaws can be exploited by tricking someone into clicking a malicious link on your Windows computer. Another could lead to compromise on opening a malicious Office file.
Weaknesses are known as Zero daysBecause hackers were exploiting bugs before Microsoft had time to fix them.
Microsoft said that details have been published on how to exploit the bugs, which may increase the chances of hacking. Microsoft did not say where it was published, and a Microsoft spokesperson did not immediately comment when contacted by TechCrunch. In its bug reports, Microsoft acknowledged the input of security researchers at Google’s Threat Intelligence Group in their discovery of the vulnerabilities.
Microsoft said that one of the bugs, was officially traced to CVE-2026-21510is found in the Windows shell, which powers the operating system’s user interface. The company said that the bug affects all supported versions of the Windows operating system. When a victim clicks on a malicious link from their computer, the bug allows hackers to bypass Microsoft’s SmartScreen feature that normally scans malicious links and files for malware.
according to Security expert Dustin ChildsThis error can be abused Remotely implant malware On the victim’s computer.
“There is user interaction here, where the customer needs to click on a link or shortcut file,” Childs wrote in his blog post. “However, a single-click error to execute the code is rare.”
A Google spokesperson confirmed that the Windows Shell bug was under “active and widespread exploitation,” and said that successful breaches allowed for silent execution of high-privilege malware, “which poses a significant risk of subsequent system compromise, ransomware deployment, or intelligence gathering.”
Another Windows error, tracked as CVE-2026-21513are found in Microsoft’s own browser engine, MSHTML, which powers the old and long-discontinued Internet Explorer browser. It is still present in newer versions of Windows to ensure compatibility with older applications.
Microsoft said this bug allows hackers to bypass security features in the Windows operating system to plant malware.
According to independent security reporter Brian Krebs, Microsoft has also patched the vulnerability Three more errors on day zero Its software has been actively exploited by hackers.