Hackers Exploit Critical Microsoft Zero-Day Bugs in Windows, Office
▼ Summary
– Microsoft has released fixes for actively exploited security vulnerabilities in Windows and Office, which are one-click attacks requiring minimal user interaction.
– At least two flaws can be triggered by clicking a malicious link on Windows, while another is exploited by opening a malicious Office file.
– These are zero-day vulnerabilities, meaning hackers exploited the bugs before Microsoft could develop and release patches for them.
– One critical bug (CVE-2026-21510) in the Windows shell allows attackers to bypass the SmartScreen security feature when a user clicks a malicious link.
– Another bug (CVE-2026-21513) exists in the legacy MSHTML engine, and Microsoft patched additional zero-day bugs that were under active exploitation.
Microsoft has released critical security updates to address actively exploited vulnerabilities in Windows and Office software. These flaws represent a significant threat, as they allow attackers to compromise systems with minimal user interaction. The company confirmed that hackers are already using these weaknesses in real-world attacks, making immediate patching essential for all users. The vulnerabilities are classified as zero-days, meaning they were being used by attackers before Microsoft could develop and distribute fixes.
The exploitation methods for these bugs have been publicly disclosed, which significantly raises the risk of more widespread attacks. Microsoft credited researchers from Google’s Threat Intelligence Group for their assistance in discovering these security holes. One particularly dangerous flaw, identified as CVE-2026-21510, exists within the Windows shell, the core component responsible for the operating system’s user interface. This bug impacts every currently supported version of Windows.
The vulnerability allows attackers to bypass Microsoft’s SmartScreen security filter, a crucial defense that normally scans links and files for malicious content. By tricking a user into clicking a specially crafted link, a hacker can remotely install malware. Security expert Dustin Childs emphasized the severity of this one-click attack vector, noting that such straightforward paths to executing malicious code are uncommon and highly effective.
A Google spokesperson confirmed this Windows shell bug is under “widespread, active exploitation.” Successful attacks can lead to malware running silently with high-level system privileges, creating a substantial risk for follow-on actions like ransomware deployment or espionage.
A second critical flaw, tracked as CVE-2026-21513, was discovered in the MSHTML browser engine. This legacy technology, which powered the discontinued Internet Explorer, remains part of modern Windows systems to maintain compatibility with older applications. Microsoft warns that this bug also enables attackers to circumvent Windows security protections to plant malware.
According to independent security reporter Brian Krebs, Microsoft’s latest patch batch also addresses three additional zero-day vulnerabilities that were being actively exploited in other software components. The company has not provided specific details on where the exploit information was published, and a spokesperson did not immediately offer further comment. The urgent nature of these patches cannot be overstated; users and administrators should apply all available updates from Windows Update without delay to protect their systems from these immediate threats.
(Source: TechCrunch)
