Microsoft rushes to patch actively exploited security bugs in Windows, Office

Microsoft

• Microsoft issued urgent security updates for Windows and Office to fix zero-day flaws.
• Hackers can exploit these bugs through malicious links or Office files easily.
• Update immediately as technical exploit details are now public.

Did our AI summary help?

Microsoft has rolled out urgent security updates for Windows and Office after confirming that several serious vulnerabilities were being actively abused by hackers in real-world attacks.

The flaws, described as zero-day vulnerabilities because they were exploited before fixes were available, enable attackers to compromise systems with minimal user interaction. In some cases, simply clicking a malicious link on a Windows computer is enough to trigger an attack. Another flaw can be exploited by opening a specially crafted Office file.

Microsoft warned that technical details showing how to exploit the bugs have now been published, a development that could further increase the risk of attacks. The company did not disclose where those details appeared, and did not immediately respond to questions from TechCrunch. In its advisory, Microsoft credited security researchers from Google’s Threat Intelligence Group for helping uncover the vulnerabilities.

One of the most serious issues, tracked as CVE-2026-21510, affects the Windows shell, a core component that powers the operating system’s user interface. Microsoft said the bug impacts all supported versions of Windows. By clicking on a malicious link or shortcut file, an attacker can bypass Microsoft’s SmartScreen protection, which normally warns users about suspicious downloads and links.

Security researcher Dustin Childs said the flaw allows remote code execution, making it particularly dangerous. While user interaction is required, he noted that one-click exploits capable of executing code are relatively rare and highly valuable to attackers.

Google confirmed that the Windows shell vulnerability was under widespread active exploitation. According to the company, successful attacks can lead to the silent execution of malware with high privileges, increasing the risk of ransomware deployment, long-term system compromise, or intelligence collection.

Microsoft also patched another actively exploited Windows flaw, CVE-2026-21513, found in MSHTML, the legacy browser engine originally used by Internet Explorer. Although Internet Explorer itself has been discontinued, MSHTML remains embedded in modern versions of Windows for compatibility with older applications. The bug allows attackers to bypass Windows security protections and install malware.

Independent security reporter Brian Krebs reported that Microsoft addressed at least three additional zero-day vulnerabilities that were also being exploited in the wild.

Microsoft is urging users and organisations to install the latest updates as soon as possible, warning that public disclosure of the bugs could accelerate further attacks against unpatched systems.