Microsoft says hackers are exploiting critical zero-day bugs to target Windows and Office users

Microsoft has announced the deployment of critical security updates aimed at addressing vulnerabilities in its Windows operating system and Office suite. These vulnerabilities, known to be actively exploited by cybercriminals, allow attackers to infiltrate systems with minimal user engagement. The exploits involve one-click attacks, enabling malicious actors to install malware or gain unauthorized access simply by deceiving users into clicking harmful links. Specifically, two identified flaws can be triggered when a user interacts with a malicious link on their Windows device, while another vulnerability arises from opening a compromised Office document. These vulnerabilities are classified as zero-days, meaning hackers have taken advantage of these flaws before Microsoft had the opportunity to issue fixes. The company has noted that details on how these exploits function have been publicly disclosed, which may raise the risk of further attacks. In their security reports, Microsoft acknowledged the assistance of the security researchers from Google’s Threat Intelligence Group, who played a key role in uncovering these vulnerabilities. One significant flaw, identified as CVE-2026-21510, resides within the Windows shell, which is integral to the operating system's user interface. This flaw affects all supported versions of Windows and allows hackers to bypass Microsoft's SmartScreen feature, which typically protects against malicious links and files. Security expert Dustin Childs emphasized the rarity of such one-click vulnerabilities that can lead to code execution, noting that user interaction is required, albeit minimal. A spokesperson from Google confirmed that the vulnerability in the Windows shell is currently under widespread exploitation, enabling the silent execution of malware with elevated privileges, thereby posing a serious risk of system compromise, ransomware deployment, or data theft. Additionally, another vulnerability, tracked as CVE-2026-21513, was discovered in Microsoft’s MSHTML browser engine, which is still present in newer versions of Windows for compatibility with older applications. This flaw similarly allows attackers to circumvent Windows security measures to install malware. Furthermore, reports indicate that Microsoft has patched three additional zero-day vulnerabilities that were also being actively exploited by hackers.