Meta News

Microsoft today released updates to fix more than 50 security holes in its Windows operating systems and other software. The release includes patches for six 'zero-day' vulnerabilities that attackers are already exploiting in the wild. Zero-day #1 this month is CVE-2026-21510, a security feature bypass vulnerability in Windows Shell where a single click on a malicious link can quietly bypass Windows protections and run attacker-controlled content without warning or consent dialogs. CVE-2026-21513 targets MSHTML, the proprietary engine of the default Web browser in Windows. Zero-day CVE-2026-21514 is a related security feature bypass flaw targeting Microsoft Word. The zero-day CVE-2026-21533 allows local attackers to elevate their user privileges to 'SYSTEM' level access in Windows Remote Desktop Services. CVE-2026-21519 is a zero-day elevation of privilege flaw in the Desktop Window Manager (DWM), a key component of Windows that organizes windows on a user’s screen. Microsoft fixed a different zero-day in DWM just last month. The sixth zero-day, CVE-2026-21525, is a potentially disruptive denial-of-service vulnerability in the Windows Remote Access Connection Manager, the service responsible for maintaining VPN connections to corporate networks.