Microsoft has released fixes for security vulnerabilities in Windows and Office that the company says are actively being exploited by hackers to break into people’s computers.
This exploit is a one-click attack, meaning a hacker can plant malware or gain access to a victim’s computer with minimal user interaction. At least two flaws could be exploited by tricking someone into clicking a malicious link on a Windows computer. Security can also be compromised when opening malicious Office files.
The vulnerability is known as a zero-day because hackers exploited the bug before Microsoft fixed it.
Microsoft said details of how the bug could be exploited have been made public, which could increase the likelihood of hacking. Microsoft did not say where they were published, and a Microsoft spokesperson did not immediately comment to TechCrunch. In a bug report, Microsoft acknowledged that security researchers from Google’s Threat Intelligence group helped discover the vulnerability.
Microsoft said one of the bugs, officially tracked as CVE-2026-21510, was found in the Windows shell that underpins the operating system’s user interface. The company says the bug affects all supported versions of Windows. If a victim clicks on a malicious link from their computer, the bug allows hackers to bypass Microsoft’s SmartScreen feature, which typically screens malicious links and files for malware.
Security expert Dustin Childs said the bug could be exploited to remotely plant malware on a victim’s computer.
“User interaction is required here, as the client must click on the link or shortcut file,” Childs wrote in a blog post. “Still, bugs where code is executed with a single click are rare.”
A Google spokesperson acknowledged that the Windows Shell bug is being “widely and actively exploited,” and said that a successful hack could allow malware to run silently with elevated privileges, “creating a high risk of subsequent system compromise, ransomware deployment, and intelligence gathering.”
Another Windows bug, tracked as CVE-2026-21513, was found in MSHTML, Microsoft’s proprietary browser engine that powers the long-defunct legacy Internet Explorer browser. It’s still included in newer versions of Windows to ensure backwards compatibility with older apps.
Microsoft said the bug could allow hackers to bypass Windows security features and introduce malware.
According to independent security reporter Brian Krebs, Microsoft also patched three other zero-day bugs in the software that were being actively exploited by hackers.
