Microsoft Releases Critical Updates for Windows and Other Software
Microsoft has released a batch of updates addressing over 50 security vulnerabilities in its Windows operating systems and other software. Notably, the update includes patches for six “zero-day” vulnerabilities that are currently being exploited by attackers.
Zero-Day Vulnerabilities
The zero-day vulnerabilities include:
- CVE-2026-21510: A security feature bypass in Windows Shell, allowing a single click on a malicious link to run attacker-controlled content without user consent.
- CVE-2026-21513: A security bypass bug targeting MSHTML, the default web browser engine in Windows.
- CVE-2026-21514: Another related security feature bypass issue found in Microsoft Word.
- CVE-2026-21533: A local privilege escalation flaw affecting Windows Remote Desktop Services, allowing attackers to elevate their privileges to the “SYSTEM” level.
- CVE-2026-21519: An elevation of privilege vulnerability in the Desktop Window Manager (DWM), a critical component of Windows.
- CVE-2026-21525: A denial-of-service vulnerability in the Windows Remote Access Connection Manager, which can disrupt corporate network connections.
Additional Security Updates
In addition to these critical vulnerabilities, Microsoft has issued several out-of-band security updates since January’s Patch Tuesday:
- A fix for a credential prompt failure when attempting remote desktop or remote application connections.
- Patching of a zero-day security feature bypass vulnerability in Microsoft Office (CVE-2026-21509).
AI Vulnerabilities Addressed
Kev Breen at Immersive notes that this month’s Patch Tuesday includes several fixes for remote code execution vulnerabilities affecting GitHub Copilot and multiple integrated development environments (IDEs), such as VS Code, Visual Studio, and JetBrains products. The relevant CVEs are:
- CVE-2026-21516
- CVE-2026-21523
- CVE-2026-21256
These vulnerabilities stem from a command injection flaw that can be triggered through prompt injection, potentially leading to the execution of malicious code or commands.
Risks and Recommendations
Breen emphasizes that developers are high-value targets for threat actors due to their access to sensitive data such as API keys and secrets. He advises organizations to:
- Understand the risks associated with AI integration in development workflows.
- Identify systems and workflows that have access to AI agents.
- Apply least-privilege principles to minimize potential damage if developer secrets are compromised.
元記事: https://krebsonsecurity.com/2026/02/patch-tuesday-february-2026-edition/