Hajra Naz
Microsoft has pushed out security updates to patch several vulnerabilities in Windows and Office after warning that attackers are actively targeting users’ computers.
The bugs are highly dangerous. They allow one-click attacks. In some cases, just clicking a malicious link can compromise a system. Another flaw can be triggered by opening a specially crafted Office file. Hackers can gain access with very little effort.
These vulnerabilities were exploited before patches were available. That makes them zero-days, one of the most urgent types of security risks.
Microsoft said details about exploiting the flaws have already appeared online. This could increase the risk of attacks. The company did not say where the instructions were published. A spokesperson did not immediately comment. Microsoft credited researchers from Google’s Threat Intelligence Group for helping find the bugs.
Read More: Microsoft AI CEO: We’re Creating AI You Can Trust Your Family With
One key issue, tracked as CVE-2026-21510, affects the Windows shell, the component that runs the operating system’s interface. Microsoft said the flaw exists in all supported versions of Windows. Clicking a malicious link could let hackers bypass SmartScreen, the feature meant to block dangerous links and files.
Security expert Dustin Childs called the vulnerability “rare and serious.” He noted in a blog post that while it still requires a user to click something, the flaw allows remote code execution, meaning malware could be installed silently on the victim’s machine.
A Google spokesperson confirmed the Windows shell flaw is under “widespread, active exploitation.” According to the company, successful attacks could let hackers run malware with high privileges, creating a risk of system compromise, ransomware deployment, or espionage.
Read More: Microsoft Announces $15.2 Billion AI and Cloud Expansion in the UAE
Another bug, CVE-2026-21513, lives in MSHTML, Microsoft’s old browser engine that powered Internet Explorer. Even though IE has been retired, MSHTML remains in Windows for backward compatibility with older applications. Microsoft said this flaw also allows attackers to bypass security protections and plant malware.
Security reporter Brian Krebs noted that Microsoft patched three additional zero-day vulnerabilities that hackers were actively exploiting.
The takeaway for users: patch your systems immediately. One click could be all it takes.
