Microsoft has issued security updates addressing critical vulnerabilities in Windows and Office after confirming that hackers are actively exploiting these flaws to gain unauthorized access to user systems. These zero-day vulnerabilities enable one-click attacks, allowing attackers to install malware or compromise a computer with minimal user interaction. At least two of the flaws can be triggered by convincing a user to click a malicious link on a Windows device, while another can be exploited through a malicious Office file.
Some of the vulnerabilities have been publicly detailed, increasing the likelihood of further attacks, although Microsoft has not disclosed the source of this information. Security researchers from Google’s Threat Intelligence Group were credited with identifying these vulnerabilities.
A notable flaw, tracked as CVE-2026-21510, exists in the Windows Shell, which controls the operating system’s user interface. This bug affects all supported versions of Windows and allows attackers to bypass Microsoft’s SmartScreen protections when a user clicks a malicious link. Microsoft urges users to install the latest security updates promptly to mitigate risks associated with these actively exploited vulnerabilities.
