Microsoft has released its February batch of security updates, addressing 58 vulnerabilities across its software ecosystem. Among them, two zero-day flaws—one in Windows Shell and another in Microsoft Word—are already being exploited in the wild, underscoring the urgency for users to apply the latest patches.
The updates span Windows operating systems, Office applications, Azure cloud services, and even legacy components like Internet Explorer, which remains embedded in Windows for backward compatibility. While support for Windows 10 officially ended in October 2025, Microsoft continues to release security fixes for the platform.
A Focus on Critical and Zero-Day Risks
The most pressing fixes target two zero-day vulnerabilities with active exploitation
- CVE-2026-21510 (Windows Shell): A security feature bypass that allows attackers to execute arbitrary code by tricking users into opening malicious shortcuts. The flaw sidesteps SmartScreen protections, a key defense mechanism in Windows.
- CVE-2026-21514 (Microsoft Word): A zero-day vulnerability that enables code execution when a user opens a specially crafted Word document. Unlike some remote code execution flaws, this exploit does not rely on previewing files—users must fully open the document for the attack to succeed.
Beyond these, Microsoft has patched five additional critical vulnerabilities, including flaws in Azure Container Instances (ACI) that could expose sensitive data if left unaddressed. Two of these ACI vulnerabilities require immediate action to secure existing deployments.
Windows-Specific Fixes: From Legacy IE to Modern Threats
While many updates focus on modern Windows versions (10, 11, and Server), Microsoft has also addressed vulnerabilities in legacy components, such as
- Internet Explorer (IE): Despite its decline, IE remains part of Windows for legacy application support. Two security feature bypass flaws (CVE-2026-21513) could allow attackers to bypass security checks, though Microsoft notes these risks are diminishing over time.
- Desktop Window Manager (DWM): CVE-2026-21519 is the second DWM zero-day exploited this year. Attackers combine it with remote code execution (RCE) vulnerabilities to escalate privileges and run code with system-level permissions.
- Remote Desktop Service: CVE-2026-21533 is an elevation-of-privilege (EoP) flaw that, if exploited locally, grants attackers system-level access. This could be leveraged for lateral movement within compromised networks.
- Remote Access Connection Manager: CVE-2026-21525 is a denial-of-service (DoS) vulnerability that could crash the service, potentially disrupting remote administration efforts.
Office users should also note that while none of the six high-risk Office vulnerabilities are classified as RCE flaws, CVE-2026-21514 (the Word zero-day) effectively achieves the same outcome by bypassing security features to execute malicious code.
Azure and Edge: Cloud and Browser Updates
Azure received five critical patches, three of which have already been documented. Two vulnerabilities in Azure Container Instances (ACI) demand urgent attention, as they could lead to unauthorized access or data exposure if containers are not updated. Meanwhile, Microsoft Edge users received updates for two Chromium-based vulnerabilities (fixed in Edge 144.0.3719.115), though Google’s Chrome 145 release suggests further Edge updates may follow shortly.
A spoofing vulnerability (CVE-2026-0391) in Edge for Android, originally patched in December, is now being publicly acknowledged. This flaw could trick users into interacting with deceptive content, though Microsoft has already deployed the fix.
What Users Should Do Now
- Apply updates immediately, especially for Windows, Office, and Azure environments. Use Windows Update or Azure Update Management for automated deployment.
- For Windows 10 users, despite the lack of official support, these patches remain critical for security.
- Review Azure Container Instances for the two critical ACI vulnerabilities and apply the latest images or updates.
- Monitor for further Edge updates, as Chromium-based patches often follow Google’s release schedule.
With the next Patch Tuesday set for March 10, 2026, staying current on these updates is essential to closing known exploitation vectors. Microsoft’s proactive approach to zero-day fixes highlights the evolving threat landscape, where even legacy systems and productivity tools remain targets.
