Microsoft has released security fixes for vulnerabilities in Windows and Office. The company stated that hackers are currently exploiting these flaws to gain unauthorized access to users’ computers.
The exploits are designed as one-click attacks, allowing a hacker to install malware or gain access to a victim’s computer with little user interaction. At least two vulnerabilities can be exploited by deceiving someone into clicking a malicious link on their Windows computer. Another vulnerability may be triggered when a user opens a malicious Office file.
Hackers exploited these vulnerabilities, known as zero-days, before Microsoft could deploy a fix.
Microsoft has reported that details on how to exploit certain vulnerabilities have been made public, which may increase the risk of hacking attempts. The company did not specify where this information was published, and a Microsoft spokesperson did not provide immediate comments when contacted by TechCrunch.
In their bug reports, Microsoft acknowledged the contributions of security researchers from Google’s Threat Intelligence Group in identifying these vulnerabilities.
One significant bug, officially designated as CVE-2026-21510, was discovered in the Windows Shell, the component that powers the operating system’s user interface. Microsoft stated that this bug impacts all supported versions of Windows. When a user clicks on a malicious link, the vulnerability allows hackers to bypass Microsoft’s SmartScreen feature, which is designed to screen links and files for malware.
According to security expert Dustin Childs, this bug can be abused to remotely plant malware on the victim’s computer.
“There is user interaction here, as the client needs to click a link or a shortcut file,” Childs wrote in his blog post. “Still, a one-click bug to gain code execution is a rarity.”
A Google spokesperson confirmed a critical Windows Shell bug, describing it as under “widespread, active exploitation.” They emphasized the severity, noting that successful attacks could silently execute malware with high privileges. This, the spokesperson warned, “pos[es] a high risk of subsequent system compromise, deployment of ransomware, or intelligence collection.”
Another Windows vulnerability, identified as CVE-2026-21513, has been discovered in Microsoft’s proprietary browser engine, MSHTML. This engine powers the outdated Internet Explorer browser, which has been discontinued but is still included in newer versions of Windows for compatibility with older applications.
Microsoft has reported that this vulnerability allows hackers to circumvent security features in Windows, potentially enabling them to install malware.
Additionally, independent security reporter Brian Krebs noted that Microsoft has also patched three other zero-day vulnerabilities in its software, which were being actively exploited by hackers.