"Users just need to click a malicious link or shortcut file, and the attacker's code runs without any warning prompts. Microsoft's security teams, along with Google Threat Intelligence Group and an anonymous researcher, caught this one. "Bypassing Windows Shell and SmartScreen protections significantly increases the success rate of malware delivery and phishing campaigns," said Mike Walters, president and co-founder of Action1, in an email to TechRepublic. "Because Windows Shell is a core component used by nearly all users, the attack surface is broad and difficult to fully restrict without patching.""
"CVE-2026-21513 hits the MSHTML Framework with a similar security bypass. "In enterprise environments, this flaw can lead to unauthorized code execution, malware deployment, credential theft, and system compromise," explained Jack Bicer, director of vulnerability research at Action1. Even though Microsoft moved to Chromium-based Edge years ago, MSHTML still lurks in Windows shell components and third-party apps. CVE-2026-21514 targets Microsoft Word and Office 365, bypassing protections against malicious embedded objects."
Microsoft released security updates fixing 58 vulnerabilities across Windows and related products, including six actively exploited zero-days and three publicly disclosed before patches. The vulnerabilities include elevation of privilege, remote code execution, spoofing, information disclosure, security feature bypass, and denial of service. Five flaws are rated Critical and most are Important. Actively exploited zero-days affect Windows Shell (SmartScreen bypass), the MSHTML Framework, Microsoft Word/Office 365 (malicious embedded object bypass), and other components enabling privilege escalation and service disruption. Detection and reporting involved Microsoft security teams, Google Threat Intelligence Group, and at least one anonymous researcher.
#microsoft-security-updates #zero-day-vulnerabilities #windows-shell--smartscreen #mshtml--office-vulnerabilities
Read at TechRepublic
Unable to calculate read time
Collection
[
|
...
]