Microsoft warns of critical vulnerabilities in Windows, Office
What's the story
Microsoft has issued a warning about critical security vulnerabilities in its Windows and Office software. The tech giant said these flaws are being actively exploited by hackers to gain unauthorized access to users' computers. The exploits are one-click attacks, meaning they require minimal user interaction for a hacker to plant malware or break into a victim's system.
Exploit details
Hackers exploiting zero-day vulnerabilities
The vulnerabilities are termed zero-days as they were exploited by hackers before Microsoft had a chance to patch them. At least two of these flaws can be exploited by deceiving a user into clicking on a malicious link on their Windows computer. Another one can be exploited when an Office file is opened.
Research contribution
Google's threat intelligence group helped Microsoft identify bugs
In its bug reports, Microsoft acknowledged the contributions of security researchers from Google's Threat Intelligence Group in discovering these vulnerabilities. One of the bugs, officially tracked as CVE-2026-21510, was found in the Windows shell that powers the operating system's user interface. The company said this bug affects all supported versions of Windows and lets hackers bypass Microsoft's SmartScreen feature by clicking on a malicious link from their computer.
Expert opinion
One-click bug could be used to remotely plant malware
Security expert Dustin Childs warned that the Windows shell bug could be abused to remotely plant malware on a victim's computer. "There is user interaction here, as the client needs to click a link or a shortcut file," Childs wrote in a blog post. "Still, a one-click bug to gain code execution is a rarity," he added.
Exploitation confirmation
Google confirms widespread exploitation of Windows shell bug
A Google spokesperson confirmed that the Windows shell bug is being widely exploited. They said successful hacks have allowed silent execution of malware with high privileges, "posing a high risk of subsequent system compromise, deployment of ransomware, or intelligence collection." Another Windows bug tracked as CVE-2026-21513 was found in Microsoft's proprietary browser engine MSHTML which still exists in newer versions of Windows for backward compatibility with older apps.