\n<\/p>\n
Microsoft has rolled out fixes for security vulnerabilities in Windows and Office, which the company says are being actively abused by hackers to break into people\u2019s computers.<\/p>\n
The exploits are one-click attacks<\/a>, meaning that a hacker can plant malware or gain access to a victim\u2019s computer with minimal user interaction. At least two flaws can be exploited by tricking someone into clicking a malicious link on their Windows computer. Another can result in a compromise on opening a malicious Office file.<\/p>\n The vulnerabilities are known as zero-days<\/a>, because the hackers were exploiting the bugs before Microsoft had time to fix them.<\/p>\n Details of how to exploit the bugs have been published, Microsoft said, potentially increasing the chance of hacks. Microsoft did not say where they had been published, and a Microsoft spokesperson did not immediately comment when reached by TechCrunch.\u00a0In its bug reports, Microsoft acknowledged the input of security researchers in Google\u2019s Threat Intelligence Group in their discovery of the vulnerabilities.\u00a0<\/p>\n Microsoft said one of the bugs, officially tracked as CVE-2026-21510<\/a>, was found in the Windows shell, which powers the operating system\u2019s user interface. The bug affects all supported versions of Windows, the company said. When a victim clicks on a malicious link from their computer, the bug allows hackers to bypass Microsoft\u2019s SmartScreen feature that would typically screen malicious links and files for malware.<\/p>\n According to security expert Dustin Childs<\/a>, this bug can be abused to remotely plant malware<\/a> on the victim\u2019s computer.<\/p>\n \u201cThere is user interaction here, as the client needs to click a link or a shortcut file,\u201d Childs wrote in his blog post. \u201cStill, a one-click bug to gain code execution is a rarity.\u201d<\/p>\n A Google spokesperson confirmed that the Windows shell bug was under \u201cwidespread, active exploitation,\u201d and said successful hacks allowed the silent execution of malware with high privileges, \u201cposing a high risk of subsequent system compromise, deployment of ransomware, or intelligence collection.\u201d<\/p>\n Another Windows bug, tracked as CVE-2026-21513<\/a>, was found in Microsoft\u2019s proprietary browser engine, MSHTML, which powers its legacy and long-discontinued Internet Explorer browser. It\u2019s still found in newer versions of Windows to ensure backward compatibility with older apps.\u00a0<\/p>\n Microsoft said this bug allows hackers to bypass security features in Windows to plant malware.<\/p>\n According to independent security reporter Brian Krebs, Microsoft also patched three other zero-day bugs<\/a> in its software that were being actively exploited by hackers.<\/p>\n<\/div>\n