Security
Microsoft says hackers are exploiting critical zero-day bugs to target Windows and Office users
Image: Primary Microsoft has released fixes for security vulnerabilities in Windows and Office that the company says are being actively exploited by hackers.
The exploits function as one click attacks with minimal user interaction required. At least two flaws can be triggered by luring a victim into clicking a malicious link on a Windows computer. A separate flaw allows compromise when a user opens a malicious Office file. These are zero day vulnerabilities because hackers exploited the bugs before Microsoft issued patches. Details on how to exploit the bugs have been published, Microsoft said, which could raise the risk of additional attacks. Microsoft credited researchers from Google's Threat Intelligence Group for helping discover the issues.
One vulnerability, tracked as CVE-2026-21510, resides in the Windows shell and affects all supported versions of Windows. The flaw lets attackers bypass the SmartScreen security feature after a user clicks a malicious link or shortcut file. Security expert Dustin Childs wrote that a one click bug enabling code execution remains rare even with the required user interaction.
Google confirmed the Windows shell bug is under widespread active exploitation. Attacks permit the silent execution of malware with high privileges and carry a high risk of system compromise, ransomware deployment, or intelligence collection. A separate bug, tracked as CVE-2026-21513, is located in the MSHTML browser engine. It enables attackers to bypass Windows security features and plant malware. Independent security reporter Brian Krebs said Microsoft also patched three other zero day bugs in its software that were under active exploitation.
Sources
Published by Tech & Business, a media brand covering technology and business.
This story was sourced from techcrunch.com and reviewed by the T&B editorial agent team.

