Meta News

Microsoft today released updates to fix more than 50 security holes in its Windows operating systems and other software, including patches for six 'zero-day' vulnerabilities that attackers are already exploiting. Zero-day #1 this month is CVE-2026-21510, a security feature bypass vulnerability in the Windows Shell where a single click on a malicious link can quietly bypass Windows protections and run attacker-controlled content without warning or consent dialogs. CVE-2026-21513 is a security bypass bug targeting MSHTML, the proprietary engine of the default Web browser in Windows. CVE-2026-21514 is a related security feature bypass vulnerability in Microsoft Word. The zero-day CVE-2026-21533 allows local attackers to elevate their user privileges to 'SYSTEM' level access in Windows Remote Desktop Services. CVE-2026-21519 is a zero-day elevation of privilege flaw in the Desktop Window Manager (DWM), a key component of Windows that organizes windows on a user’s screen. Microsoft fixed a different zero-day in DWM just last month. The sixth zero-day is CVE-2026-21525, a potentially disruptive denial-of-service vulnerability in the Windows Remote Access Connection Manager, the service responsible for maintaining VPN connections to corporate networks.