Microsoft has released patches for critical security vulnerabilities in Windows and Office that hackers are actively exploiting. These vulnerabilities, known as zero-days, were being used before Microsoft had a chance to address them. The exploits are one-click attacks, meaning a user can be compromised by simply clicking on a malicious link or opening a harmful Office file. The company highlighted two specific flaws: one in the Windows shell (CVE-2026-21510) and another in the legacy MSHTML browser engine (CVE-2026-21513). Both allow attackers to bypass built-in security features and install malware on victims' computers. Security expert Dustin Childs noted the rarity of a one-click bug that enables code execution, emphasizing the severity of CVE-2026-21510. A successful exploit can lead to the silent execution of malware with elevated privileges, raising concerns about system compromise and potential ransomware deployment. Google confirmed that this particular bug is being widely exploited, further intensifying the urgency for users to update their systems. In addition to the two major vulnerabilities, Microsoft has addressed three other zero-day bugs that were also under active attack. The details of these flaws were shared publicly, increasing the risk of further exploitation. Microsoft acknowledged the contributions of security researchers from Google’s Threat Intelligence Group in identifying these issues. Users should prioritize updating their Windows and Office applications to mitigate these risks, given the low barrier for attackers to gain access.