Microsoft says hackers are exploiting critical zero-day bugs to target Windows and Office users
Source: TechCrunch
Overview
Microsoft has rolled out fixes for security vulnerabilities in Windows and Office that are being actively abused by hackers to break into users’ computers. The exploits are one‑click attacks, meaning a hacker can plant malware or gain access with minimal user interaction. At least two flaws can be exploited by tricking someone into clicking a malicious link on a Windows computer, while another can result in a compromise when opening a malicious Office file.
These vulnerabilities are known as zero‑days, because the attackers were exploiting the bugs before Microsoft could issue patches.
Exploited Bugs
CVE‑2026‑21510 – Windows Shell
- Location: Windows shell (the user‑interface layer of the operating system)
- Impact: A malicious link clicked by a victim can bypass Microsoft’s SmartScreen filter, allowing the attacker to silently execute high‑privilege malware.
- Expert insight: Security researcher Dustin Childs noted that “there is user interaction here, as the client needs to click a link or a shortcut file… a one‑click bug to gain code execution is a rarity.”
- Google’s statement: The bug is under “widespread, active exploitation,” enabling silent execution of malware with high privileges and posing a high risk of system compromise, ransomware deployment, or intelligence collection.
CVE‑2026‑21513 – MSHTML (Internet Explorer Engine)
- Location: Microsoft’s proprietary browser engine, MSHTML, which remains in newer Windows versions for backward compatibility with legacy applications.
- Impact: Allows attackers to bypass Windows security features and plant malware.
Additional Zero‑Day Patches
According to independent security reporter Brian Krebs, Microsoft also patched three other zero‑day bugs that were being actively exploited. Details of those bugs are available in the Krebs on Security article.
References
- Explanation of one‑click attacks: TechCrunch security terminology guide
- Definition of zero‑day vulnerabilities: TechCrunch security terminology guide
- CVE‑2026‑21510 advisory: Microsoft Update Guide
- CVE‑2026‑21513 advisory: Microsoft Update Guide
- Security expert commentary: Dustin Childs, “The February 2026 Security Update Review” (Zero Day Initiative blog)
- Additional zero‑day patches: Krebs on Security – Patch Tuesday February 2026