Microsoft Patches a Record 570 Security Flaws (krebsonsecurity.com) 41
An anonymous reader quotes a report from Krebs on Security: Microsoft today released software updates to plug at least 570 security holes in its Windows operating systems and other software, almost triple the number of vulnerabilities the software giant fixed in its record-smashing Patch Tuesday release last month. Microsoft attributed the burgeoning patch counts to vulnerability discoveries aided by artificial intelligence. Nearly 60 of the bugs quashed in July's Patch Tuesday earned a "critical" severity rating, meaning miscreants or malware could use them to seize remote control over a Windows device with little or no help from the user. Microsoft also addressed three zero-day flaws, including two that are already being exploited in the wild.
Two of the zero-day weaknesses allow an attacker to elevate their user rights on a Windows system, as do approximately 250 other elevation of privilege flaws fixed this month; they include CVE-2026-56155 - an Active Directory Federation Services bug -- and CVE-2026-56164, a Microsoft Sharepoint vulnerability. CVE-2026-50661 is a security feature bypass in Windows BitLocker that could allow attackers to gain access to encrypted data if they have physical access to the device. Microsoft said this bug has been detailed publicly, but that it is not aware of any active exploitation.
In a blog post on July 9, Microsoft Executive Vice President Pavan Davuluri wrote that Windows users will notice "a higher volume of security updates included in each security release" as a result of AI aiding in the discovery of vulnerabilities. "The pace of vulnerability discovery is changing with advances in AI making it possible to find more issues, faster, across more code, with new mechanisms that can accelerate both discovery and analysis," Davuluri wrote.
Two of the zero-day weaknesses allow an attacker to elevate their user rights on a Windows system, as do approximately 250 other elevation of privilege flaws fixed this month; they include CVE-2026-56155 - an Active Directory Federation Services bug -- and CVE-2026-56164, a Microsoft Sharepoint vulnerability. CVE-2026-50661 is a security feature bypass in Windows BitLocker that could allow attackers to gain access to encrypted data if they have physical access to the device. Microsoft said this bug has been detailed publicly, but that it is not aware of any active exploitation.
In a blog post on July 9, Microsoft Executive Vice President Pavan Davuluri wrote that Windows users will notice "a higher volume of security updates included in each security release" as a result of AI aiding in the discovery of vulnerabilities. "The pace of vulnerability discovery is changing with advances in AI making it possible to find more issues, faster, across more code, with new mechanisms that can accelerate both discovery and analysis," Davuluri wrote.
An AMAZING number of flaws (Score:5, Insightful)
Re:An AMAZING number of flaws (Score:4, Insightful)
It doesn't, they just turned AI on it for the first time.
Linux is going through the same thing, only with less good AI and more slowly.
Re: (Score:3)
It doesn't, they just turned AI on it for the first time.
I.e. "It does."
Re: (Score:2)
It doesn't, they just turned AI on it for the first time.
I.e. "It does."
More precisely, "Everyone does".
Microsoft's code isn't especially shoddy, all large codebases that are getting AI review right now are experiencing the same thing.
Re: (Score:2)
More precisely, "Everyone does".
Microsoft's code isn't especially shoddy [...]
Actually, producing shoddy code is precisely what Microsoft is know for. All they are interested in is locking people into their ecosystem, and producing good code is a disadvantage in that business model. The worse their code is, the more difficult it is for users to step away. User lock-in has always been their goal, and they don't even lie about it. This moat strategy is arguably the most deliberate and consistent part of the company's history.
For instance, they created the SMB file protocol not from com
Re: (Score:2)
The issue comes from: how many of these security flaws aren't anything at all (or are barely worth knowing about), and how many are repeats from the last time they ran "Clod" or whichever one they're using.
Just gotta be careful that the bug-hunting AI doesn't identify the usability as a security flaw.
Re: (Score:2)
And how many of these patches are made by "AI", I wonder.
Re: (Score:2)
I noticed that the update rate in Mint seems quite elevated lately.
There is a lot of scrambling going on. AI does see, to have a value for slinging endproduct against the wall and targeting where ever something stuck.
Re: (Score:2)
MSFT wants to sell you and your enterprise the tools and capacity to bug hunt your own code and allegedly help you "drive costs" out of your operations. I suspect this is more of a "look, we are eating our own dog food!" exercise to drive sales.
They're trying to slap the copilot moniker on anything they can lay a hand on to further that goal. Someone's gotta pay for all that capex they're pushing into their datacenter infrastructure....might as well be you.
Re: (Score:3)
I think fixing bugs and real issues is fantastic, so I won't pick on them for solving 600 issues, that's fine, but it'
Re: (Score:2)
Re: (Score:2)
On the upside, we're probably going to get several months of this while everyone with access to Mythos et al runs their existing code through it and integrates into their release processes for new code, and the end result will be things being much harder for all the bad actors in the world. Even if you don't use the improved code yourself, that's hopefully going to have a significant impact on the number and size of all the botnets out there, and that's a net benefit to everyone apart from the bad actors.
This. Short term pain for long term gain.
Re: (Score:2)
It's bad, but Microsoft has a awfully large number of lines of code to run through Mythos or whatever
You mean the famous Microsoft bloat? That's a feature I guess.
On the upside, we're probably going to get several months of this while everyone with access to Mythos et al runs their existing code through it and integrates into their release processes for new code, and the end result will be things being much harder for all the bad actors in the world.
So the last couple years of destroyed functionality, are suddenly going to end, and we'll have the secure OS they've been telling us is the most secure and it'll be puppy dogs and rainbows?
Meanwhile, the presumably insecure MacOS and Linux don't seem to have this issue. I'll believe it when the other Os' end up gone, and Microsoft is so secure, all the AV providers go out of business.
Re: (Score:1)
"the presumably insecure MacOS and Linux don't seem to have this issue."
Excuse me?
I use a Red Hat Linux clone/derivative called Rocky Linux on all of my computers (desktops, laptops, server) and there's currently a discussion on the Rocky message board about how there are suddenly so many kernel updates being issued as a result of bugs found (presumably by AI) that the Rocky maintainers are having difficulty maintaining the pace.
Here's the discussion if you're interested:
https://forums.rockylinux.org/... [rockylinux.org]
Re: (Score:2)
"the presumably insecure MacOS and Linux don't seem to have this issue."
Excuse me?
I use a Red Hat Linux clone/derivative called Rocky Linux on all of my computers (desktops, laptops, server) and there's currently a discussion on the Rocky message board about how there are suddenly so many kernel updates being issued as a result of bugs found (presumably by AI) that the Rocky maintainers are having difficulty maintaining the pace.
Here's the discussion if you're interested: https://forums.rockylinux.org/... [rockylinux.org]
Were there 500 security updates a month after there were 200 updates? I have Linux Mint as well as Raspbian, and keep track up updates. Perhaps I didn't count correctly.
And no where did I say that MacOS and Linux don't have security flaws. There is no perfectly secure OS. If can be written, it can be compromised. But to suggest that Windows is the equal of the other two, well, that needs a whole lot of proof.
Re: (Score:2)
Given your user ID # I think you know the reason(s)
Re: (Score:2)
We can bust on Microsoft all day and all night, and they deserve it, but the fact that their ability to find and fix these problems has greatly increased is a good thing. Software is incredibly complex, and no software more complicated than "10 GOTO 10" is free from the potential of security problems. Microsoft's QA has gone downhill in recent years, but now it's getting better apparently (even if it's after the fact). They are not going away, so this makes all our lives better.
Re: (Score:2)
As much fun as it is to hate on Microsoft, when all everything is lumped into one monolithic pot it's of course going to look worse. Firefox, LibreOffice, dm-crypt, or OpenSSH bugs aren't counted together in one big "Linux" pot. One recent Firefox update had 271 security fixes in one cycle [zdnet.com].
Microsoft's list of 570 includes Office, SharePoint, Active Directory, BitLocker, and Edge, which is a wide range of products.
Re: (Score:2)
Part of it may be a dysfunctional corporate culture, but a lot of it is a consequence of Microsoft's business decision to maintain backwards compatibility at all costs. When you're committed to retaining every design mistake, forever, the complexity of the codebase just keeps rising, which means that less and less of it can fit into anyone's mind at one time, which means more mistakes are made going forward, and the technical debt just keeps compounding.
Re: (Score:2)
While I'm all about the Microsoft hate, in this scenario, it's not exactly unique, nor does a count tell the whole story.
Famously the kernel had a handful of high profile security issues discovered, so Microsoft has company. If you are floored by the number of security 'flaws', well, many projects are dealing with those and while higher than usual (largely due to AI findings), a lot of 'security' findings have long been dubious and the AI findings are no exception.
For example, a parser for a comprehensive
Re: (Score:2)
Re: (Score:2)
As a long-time Linux user, I have two questions. First, why does Microsoft insist on holding on to all of these bug patches and security fixes so that they can be released all together on Patch Tuesday instead of being made available right away as Linux does? Second, why do so many people insist on paying money for such a flawed system and putting up with such a slow update pace?
I reboot my Windows box once a month. If I reboot my Linux boxes every time they get a kernel patch it makes for lots of rebooting. I have a Rocky 8 box that is on extended maintenance and it still gets kernel patches almost weekly. It used to be the other way around. The days of long uptimes are long gone.
Re: (Score:2)
Microsoft says 622 (Score:3)
https://msrc.microsoft.com/upd... [microsoft.com]
"If people want a severity hook, July has 26 vulnerabilities with a CVSS base score above 9.0, and 13 of those sit at 9.8," said Josh Taylor, lead cybersecurity analyst at Fortra
Re: (Score:2)
Left hook [youtube.com] or right hook [youtube.com]?
Serious quality improvements (Score:2)
I can easily see a day where every bit of software is subjected to an AI check before it is released.
There may come a day when hacking is far more rare and requires government level resources to pay for an AI better than the one software makers use.
There will always be vulnerabilities but they might only be visible to government spies.
Re: (Score:2)
Or you just hack into the Tessier-Ashpool mainframe if you can't afford to rent time on Wintermute
Re: (Score:2)
Re: (Score:2)
I can easily see a day where every bit of software is subjected to an AI check before it is released.
There may come a day when hacking is far more rare and requires government level resources to pay for an AI better than the one software makers use.
There will always be vulnerabilities but they might only be visible to government spies.
The AI reviews (of current code, and new code) was stated as an foreseeable outcome at the recent RSAC conference by a few presenters (this was before Mythos was publicly announced, but the direction of the capability of the models was obvious).
And those same presenters stated the next few years were going to be most interesting, as the models will be finding (new, or different) bugs faster then the software will get fixed. In the long run, as you suggest, those speakers believed that the easy exploits
Re: (Score:2)
All of the software we write now goes through agent code reviews, multiple agent security checks, agent quality checks. I count no fewer than 8 gates that are scanning for vulnerabilities using some kind of language model. Most of the code we're writing is written by an agent, so the need for 8 levels of agent gates is obvious. We have skills that use agents to address PR review comments made by ... other agents. So the whole cycle is automated, and every token burned is money in Anthropic's wallet. Instead
Right once, patch away (Score:3)
To find a security flaw, you only need to be right once.
So if you have a machine that has a shitload of false positives, and have a way to filter em quickly, you end up with a bunch of true positives.
Now to code, you ideally want to always be right, which is not quite ideal for a machine that does a lot of false positives.
It's a pretty fun scenario, specially if you're not the only one running the security flaw finding machine.
Re: (Score:2)
To find a security flaw, you only need to be right once. So if you have a machine that has a shitload of false positives, and have a way to filter em quickly, you end up with a bunch of true positives. Now to code, you ideally want to always be right, which is not quite ideal for a machine that does a lot of false positives. It's a pretty fun scenario, specially if you're not the only one running the security flaw finding machine.
Does it even matter any more? It is the Microsoft way, and their "patches" tend to just turn needed things off. Meanwhile the faithful can continue the claims that Microsoft is every bit as secure as any other OS out there.
Re: (Score:2)
At the scale it's getting, i don't think anyone in microsoft want to be "the ones at fault for lockheed martin getting hacked", or worse, disney.
Re: (Score:2)
At the scale it's getting, i don't think anyone in microsoft want to be "the ones at fault for lockheed martin getting hacked", or worse, disney.
A decent point. It seems however, that Windows will soon be running Office 365, and not much else.
So secure (Score:2)
The problem with Microsoft's "security" updates that they turn off features that many programs need. The ain't security, that's just a march toward the only programs workingare the ones Microsoft sells you. And they aren't secure either.
Zero day already in the wild? (Score:2)
(scratches head) How can a flaw be called zero-day and already be exploited in the wild?
Re: (Score:2)
The summary says: "Microsoft also addressed three zero-day flaws, including two that are already being exploited in the wild. "
(scratches head) How can a flaw be called zero-day and already be exploited in the wild?
Because a zero-day is any flaw made public before the developer knows about it. One of the main ways this happens is by noticing that hackers are breaking into systems using a heretofore unknown exploit.
The pace of vulnerability discovery is changing (Score:2)
pace of QA (Score:2)
Remains to be seen if the pace of QA can keep up. 8 Ball says - Signs Say No
This just in (Score:2)
Microsoft creates 1140 security flaws
News: Microsoft Windows had 570 Security Flaws! (Score:2)