Forgot your password?
typodupeerror
Windows Microsoft Security

Microsoft Patches a Record 570 Security Flaws (krebsonsecurity.com) 41

An anonymous reader quotes a report from Krebs on Security: Microsoft today released software updates to plug at least 570 security holes in its Windows operating systems and other software, almost triple the number of vulnerabilities the software giant fixed in its record-smashing Patch Tuesday release last month. Microsoft attributed the burgeoning patch counts to vulnerability discoveries aided by artificial intelligence. Nearly 60 of the bugs quashed in July's Patch Tuesday earned a "critical" severity rating, meaning miscreants or malware could use them to seize remote control over a Windows device with little or no help from the user. Microsoft also addressed three zero-day flaws, including two that are already being exploited in the wild.

Two of the zero-day weaknesses allow an attacker to elevate their user rights on a Windows system, as do approximately 250 other elevation of privilege flaws fixed this month; they include CVE-2026-56155 - an Active Directory Federation Services bug -- and CVE-2026-56164, a Microsoft Sharepoint vulnerability. CVE-2026-50661 is a security feature bypass in Windows BitLocker that could allow attackers to gain access to encrypted data if they have physical access to the device. Microsoft said this bug has been detailed publicly, but that it is not aware of any active exploitation.

In a blog post on July 9, Microsoft Executive Vice President Pavan Davuluri wrote that Windows users will notice "a higher volume of security updates included in each security release" as a result of AI aiding in the discovery of vulnerabilities. "The pace of vulnerability discovery is changing with advances in AI making it possible to find more issues, faster, across more code, with new mechanisms that can accelerate both discovery and analysis," Davuluri wrote.

Microsoft Patches a Record 570 Security Flaws

Comments Filter:
  • by Futurepower(R) ( 558542 ) on Wednesday July 15, 2026 @11:11AM (#66239756) Homepage
    The big underlying issue is why does Microsoft deliver software with so many flaws?
    • by AmiMoJo ( 196126 ) on Wednesday July 15, 2026 @11:23AM (#66239774) Homepage Journal

      It doesn't, they just turned AI on it for the first time.

      Linux is going through the same thing, only with less good AI and more slowly.

      • It doesn't, they just turned AI on it for the first time.

        I.e. "It does."

        • It doesn't, they just turned AI on it for the first time.

          I.e. "It does."

          More precisely, "Everyone does".

          Microsoft's code isn't especially shoddy, all large codebases that are getting AI review right now are experiencing the same thing.

          • More precisely, "Everyone does".

            Microsoft's code isn't especially shoddy [...]

            Actually, producing shoddy code is precisely what Microsoft is know for. All they are interested in is locking people into their ecosystem, and producing good code is a disadvantage in that business model. The worse their code is, the more difficult it is for users to step away. User lock-in has always been their goal, and they don't even lie about it. This moat strategy is arguably the most deliberate and consistent part of the company's history.

            For instance, they created the SMB file protocol not from com

      • The issue comes from: how many of these security flaws aren't anything at all (or are barely worth knowing about), and how many are repeats from the last time they ran "Clod" or whichever one they're using.

        Just gotta be careful that the bug-hunting AI doesn't identify the usability as a security flaw.

      • And how many of these patches are made by "AI", I wonder.

      • I noticed that the update rate in Mint seems quite elevated lately.

        There is a lot of scrambling going on. AI does see, to have a value for slinging endproduct against the wall and targeting where ever something stuck.

    • MSFT wants to sell you and your enterprise the tools and capacity to bug hunt your own code and allegedly help you "drive costs" out of your operations. I suspect this is more of a "look, we are eating our own dog food!" exercise to drive sales.

      They're trying to slap the copilot moniker on anything they can lay a hand on to further that goal. Someone's gotta pay for all that capex they're pushing into their datacenter infrastructure....might as well be you.

      • This is true, go into Microsoft Defender for Cloud or Microsoft Defender for Endpoint, or Intune, and see how many warnings can be "fixed" if you buy another product or service. Microsoft has turned Windows into a PaaS and DMaaS (Digital Molestation as a Service), but people don't want an OS that is a PaaS and DMaaS we want an OS that stays out of the way, and doesn't digitally molest us.

        I think fixing bugs and real issues is fantastic, so I won't pick on them for solving 600 issues, that's fine, but it'
    • by Zocalo ( 252965 )
      It's bad, but Microsoft has a awfully large number of lines of code to run through Mythos or whatever (whether they need that many is a whole other discussion). A more useful metric on overall code quality would be how many bugs are being found per 10k lines of code compared to their peers (including FLOSS); e.g. if Microsoft ran 10m SLOC through Mythos to get those 570 bugs, and a smaller project ran 1m SLOC and got 57 bugs, then you could reasonably argue that their code quality is about on a par with th
      • On the upside, we're probably going to get several months of this while everyone with access to Mythos et al runs their existing code through it and integrates into their release processes for new code, and the end result will be things being much harder for all the bad actors in the world. Even if you don't use the improved code yourself, that's hopefully going to have a significant impact on the number and size of all the botnets out there, and that's a net benefit to everyone apart from the bad actors.

        This. Short term pain for long term gain.

      • It's bad, but Microsoft has a awfully large number of lines of code to run through Mythos or whatever

        You mean the famous Microsoft bloat? That's a feature I guess.

        On the upside, we're probably going to get several months of this while everyone with access to Mythos et al runs their existing code through it and integrates into their release processes for new code, and the end result will be things being much harder for all the bad actors in the world.

        So the last couple years of destroyed functionality, are suddenly going to end, and we'll have the secure OS they've been telling us is the most secure and it'll be puppy dogs and rainbows?

        Meanwhile, the presumably insecure MacOS and Linux don't seem to have this issue. I'll believe it when the other Os' end up gone, and Microsoft is so secure, all the AV providers go out of business.

        • "the presumably insecure MacOS and Linux don't seem to have this issue."

          Excuse me?

          I use a Red Hat Linux clone/derivative called Rocky Linux on all of my computers (desktops, laptops, server) and there's currently a discussion on the Rocky message board about how there are suddenly so many kernel updates being issued as a result of bugs found (presumably by AI) that the Rocky maintainers are having difficulty maintaining the pace.

          Here's the discussion if you're interested:
          https://forums.rockylinux.org/... [rockylinux.org]

          • "the presumably insecure MacOS and Linux don't seem to have this issue."

            Excuse me?

            I use a Red Hat Linux clone/derivative called Rocky Linux on all of my computers (desktops, laptops, server) and there's currently a discussion on the Rocky message board about how there are suddenly so many kernel updates being issued as a result of bugs found (presumably by AI) that the Rocky maintainers are having difficulty maintaining the pace.

            Here's the discussion if you're interested: https://forums.rockylinux.org/... [rockylinux.org]

            Were there 500 security updates a month after there were 200 updates? I have Linux Mint as well as Raspbian, and keep track up updates. Perhaps I didn't count correctly.

            And no where did I say that MacOS and Linux don't have security flaws. There is no perfectly secure OS. If can be written, it can be compromised. But to suggest that Windows is the equal of the other two, well, that needs a whole lot of proof.

    • by Hadlock ( 143607 )

      Given your user ID # I think you know the reason(s)

    • We can bust on Microsoft all day and all night, and they deserve it, but the fact that their ability to find and fix these problems has greatly increased is a good thing. Software is incredibly complex, and no software more complicated than "10 GOTO 10" is free from the potential of security problems. Microsoft's QA has gone downhill in recent years, but now it's getting better apparently (even if it's after the fact). They are not going away, so this makes all our lives better.

    • by Himmy32 ( 650060 )

      As much fun as it is to hate on Microsoft, when all everything is lumped into one monolithic pot it's of course going to look worse. Firefox, LibreOffice, dm-crypt, or OpenSSH bugs aren't counted together in one big "Linux" pot. One recent Firefox update had 271 security fixes in one cycle [zdnet.com].

      Microsoft's list of 570 includes Office, SharePoint, Active Directory, BitLocker, and Edge, which is a wide range of products.

    • by Jeremi ( 14640 )

      Part of it may be a dysfunctional corporate culture, but a lot of it is a consequence of Microsoft's business decision to maintain backwards compatibility at all costs. When you're committed to retaining every design mistake, forever, the complexity of the codebase just keeps rising, which means that less and less of it can fit into anyone's mind at one time, which means more mistakes are made going forward, and the technical debt just keeps compounding.

    • by Junta ( 36770 )

      While I'm all about the Microsoft hate, in this scenario, it's not exactly unique, nor does a count tell the whole story.

      Famously the kernel had a handful of high profile security issues discovered, so Microsoft has company. If you are floored by the number of security 'flaws', well, many projects are dealing with those and while higher than usual (largely due to AI findings), a lot of 'security' findings have long been dubious and the AI findings are no exception.

      For example, a parser for a comprehensive

    • As a long-time Linux user, I have two questions. First, why does Microsoft insist on holding on to all of these bug patches and security fixes so that they can be released all together on Patch Tuesday instead of being made available right away as Linux does? Second, why do so many people insist on paying money for such a flawed system and putting up with such a slow update pace?
      • As a long-time Linux user, I have two questions. First, why does Microsoft insist on holding on to all of these bug patches and security fixes so that they can be released all together on Patch Tuesday instead of being made available right away as Linux does? Second, why do so many people insist on paying money for such a flawed system and putting up with such a slow update pace?

        I reboot my Windows box once a month. If I reboot my Linux boxes every time they get a kernel patch it makes for lots of rebooting. I have a Rocky 8 box that is on extended maintenance and it still gets kernel patches almost weekly. It used to be the other way around. The days of long uptimes are long gone.

        • I'm retired, and it's long been my habit to update my Fedora box every morning while making breakfast. I agree with you that the kernel's getting updated far more often than it used to be. Recently, it was updated at least three times in one week (maybe four, I'm not sure) which seems excessive. I think that was while they were getting rid of the insecure forms of string manipulation, but I wasn't involved in that and could be wrong.
  • by schwit1 ( 797399 ) on Wednesday July 15, 2026 @11:18AM (#66239766)

    https://msrc.microsoft.com/upd... [microsoft.com]

    "If people want a severity hook, July has 26 vulnerabilities with a CVSS base score above 9.0, and 13 of those sit at 9.8," said Josh Taylor, lead cybersecurity analyst at Fortra

  • I can easily see a day where every bit of software is subjected to an AI check before it is released.

    There may come a day when hacking is far more rare and requires government level resources to pay for an AI better than the one software makers use.

    There will always be vulnerabilities but they might only be visible to government spies.

    • Or you just hack into the Tessier-Ashpool mainframe if you can't afford to rent time on Wintermute

    • I can easily see a day where every bit of software is subjected to an AI check before it is released.

      There may come a day when hacking is far more rare and requires government level resources to pay for an AI better than the one software makers use.

      There will always be vulnerabilities but they might only be visible to government spies.

      The AI reviews (of current code, and new code) was stated as an foreseeable outcome at the recent RSAC conference by a few presenters (this was before Mythos was publicly announced, but the direction of the capability of the models was obvious).

      And those same presenters stated the next few years were going to be most interesting, as the models will be finding (new, or different) bugs faster then the software will get fixed. In the long run, as you suggest, those speakers believed that the easy exploits

    • All of the software we write now goes through agent code reviews, multiple agent security checks, agent quality checks. I count no fewer than 8 gates that are scanning for vulnerabilities using some kind of language model. Most of the code we're writing is written by an agent, so the need for 8 levels of agent gates is obvious. We have skills that use agents to address PR review comments made by ... other agents. So the whole cycle is automated, and every token burned is money in Anthropic's wallet. Instead

  • by Z80a ( 971949 ) on Wednesday July 15, 2026 @12:29PM (#66239894)

    To find a security flaw, you only need to be right once.
    So if you have a machine that has a shitload of false positives, and have a way to filter em quickly, you end up with a bunch of true positives.
    Now to code, you ideally want to always be right, which is not quite ideal for a machine that does a lot of false positives.
    It's a pretty fun scenario, specially if you're not the only one running the security flaw finding machine.

    • To find a security flaw, you only need to be right once. So if you have a machine that has a shitload of false positives, and have a way to filter em quickly, you end up with a bunch of true positives. Now to code, you ideally want to always be right, which is not quite ideal for a machine that does a lot of false positives. It's a pretty fun scenario, specially if you're not the only one running the security flaw finding machine.

      Does it even matter any more? It is the Microsoft way, and their "patches" tend to just turn needed things off. Meanwhile the faithful can continue the claims that Microsoft is every bit as secure as any other OS out there.

      • by Z80a ( 971949 )

        At the scale it's getting, i don't think anyone in microsoft want to be "the ones at fault for lockheed martin getting hacked", or worse, disney.

        • At the scale it's getting, i don't think anyone in microsoft want to be "the ones at fault for lockheed martin getting hacked", or worse, disney.

          A decent point. It seems however, that Windows will soon be running Office 365, and not much else.

  • Anyone want to claim that MacOS and Linux are security through obscurity?

    The problem with Microsoft's "security" updates that they turn off features that many programs need. The ain't security, that's just a march toward the only programs workingare the ones Microsoft sells you. And they aren't secure either.

  • The summary says: "Microsoft also addressed three zero-day flaws, including two that are already being exploited in the wild. "

    (scratches head) How can a flaw be called zero-day and already be exploited in the wild?
    • The summary says: "Microsoft also addressed three zero-day flaws, including two that are already being exploited in the wild. "

      (scratches head) How can a flaw be called zero-day and already be exploited in the wild?

      Because a zero-day is any flaw made public before the developer knows about it. One of the main ways this happens is by noticing that hackers are breaking into systems using a heretofore unknown exploit.

  • "The pace of vulnerability discovery is changing with advances in AI" Sadly, this also holds true for the attackers.
  • Remains to be seen if the pace of QA can keep up. 8 Ball says - Signs Say No

  • Microsoft creates 1140 security flaws

  • How many security flaws remain?

"I just want to be a good engineer." -- Steve Wozniak, co-founder of Apple Computer, concluding his keynote speech at the 1988 AppleFest

Working...