HomeTech NewsMicrosoft Security Patches Hit a Critical 570-Flaw Record

Microsoft Security Patches Hit a Critical 570-Flaw Record

  • Microsoft security patches addressed at least 570 flaws, including nearly 60 critical vulnerabilities and three issues already exploited by attackers.
  • The growing volume of Microsoft security patches reflects AI-assisted bug discovery, but defenders face a faster and more exhausting remediation cycle.
  • A SharePoint zero-day, Active Directory Federation Services bug, and BitLocker bypass make this month’s release particularly relevant to enterprises.
  • Microsoft’s exploitability ratings may be falling behind AI systems that can produce proof-of-concept exploits for supposedly difficult flaws.

Microsoft security patches have become a volume problem

Microsoft security patches have hit a number that should make every Windows administrator stop scrolling for a minute: at least 570 vulnerabilities fixed in a single monthly release. That is nearly three times the already enormous batch Microsoft issued the previous month, and it includes almost 60 flaws rated critical. This is no longer the familiar Patch Tuesday routine of clearing a few updates after coffee. It’s closer to receiving a moving truck’s worth of security work through the mail.

For ordinary PC owners, the priority for Microsoft security patches is straightforward: install updates, but do so sensibly. For companies running Windows fleets, SharePoint servers, Active Directory infrastructure, and Microsoft’s rapidly expanding AI stack, the harder truth is that patch management is becoming an operational discipline in its own right. Testing a release this large takes time. So does figuring out which fixes matter first, whether they clash with line-of-business software, and how to deploy them before an attacker gets there first.

The July release also lands at an awkward moment for Microsoft. The company has been pushing Copilot into nearly every layer of its product portfolio, while security teams are already struggling to govern AI tools at work. Now one of the most serious fixes in the batch involves Copilot itself.

A Windows laptop waiting on an update is a familiar sight, but the security release behind that progress bar has grown dramatically more complicated.

Microsoft security patches — A picture of a windows laptop in its updating stage, saying do not turn off the computer.
A picture of a windows laptop in its updating stage, saying do not turn off the computer.

Three zero-days put Microsoft security patches at the front of the queue

Of the 570 flaws, three are classified as zero-days: vulnerabilities disclosed publicly or abused before a patch is broadly available. Two are privilege-escalation issues, meaning an attacker who already has a foothold on a machine could gain deeper control. Those are often the second act of a real intrusion rather than the opening move, but they can turn a limited breach into full administrative compromise.

One of those issues, CVE-2026-56155, affects Active Directory Federation Services. The other, CVE-2026-56164, affects Microsoft SharePoint. SharePoint has a long history as an attractive target because it commonly sits near sensitive internal documents and is deeply wired into corporate identity systems. If your organization runs it on-premises, these Microsoft security patches are not ones to leave waiting until the next maintenance window merely because the monthly list is intimidating.

The third zero-day, CVE-2026-50661, is a Windows BitLocker security-feature bypass. Microsoft says it has been publicly detailed but is not aware of active exploitation. An attacker needs physical access to the machine, which limits the threat compared with a remotely exploitable bug. Still, laptops get stolen, offices have visitors, and devices are sometimes left in hotel rooms. Disk encryption is supposed to protect data precisely in those moments.

Microsoft security patches also cover roughly 250 elevation-of-privilege vulnerabilities this month. That sheer concentration matters. Attack chains rarely rely on one cinematic, all-powerful flaw; they stitch together smaller weaknesses until an attacker has the access they want. A huge collection of privilege bugs gives incident responders plenty to worry about even where no single CVE makes headlines.

The scale of this release is a reminder that the most consequential Microsoft update stories are often not about a flashy Windows feature at all, but about the dull plumbing holding corporate IT together.

Krebs on Security
Krebs on Security

AI is finding bugs faster, and attackers are likely to follow

Microsoft executive vice president Pavan Davuluri has directly linked the swelling patch count to AI-assisted vulnerability research. In a July 9 post, Davuluri wrote that users would see “a higher volume of security updates included in each security release.” His explanation was blunt: AI can find more defects, faster, across more code, while also speeding up analysis.

That sounds like good news, and in one respect it is. Vulnerabilities that stay hidden for years do nobody any favors. Finding them before criminals do is the best outcome. But Microsoft security patches are the last stage of the process, not the finish line. Every new discovered flaw creates a fresh testing, prioritization, deployment, and verification task for the people defending real networks.

The more unsettling part is that the same technology can help attackers turn public bug reports into usable exploits. Satnam Narang, a senior staff research engineer at Tenable, argues Microsoft’s long-running Exploitability Index may be calibrated for a world where a skilled human has to labor over each proof of concept. That world is fading quickly.

“What this means is that our way of looking at Patch Tuesday has changed, because the exploitability index is centered around humans, not AI tools,” Narang said.

His example is uncomfortable for Microsoft. The SharePoint zero-day was initially rated “Exploitation Less Likely,” even though it appeared on the U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog on July 1. Narang also pointed to Anthropic red-team research in which its Mythos Preview model reportedly generated proof-of-concept exploits for 13 of 14 vulnerabilities assessed as less likely or unlikely to be exploited.

My read is that severity labels are becoming less useful as a comfortable sorting mechanism. They still matter, of course. But security teams should increasingly prioritize internet-facing systems, identity infrastructure, active exploitation, and the practical value of the data at risk. A reassuring label from a vendor cannot carry the same weight when AI can reduce exploit development from a specialist project to a much quicker experiment.

The Copilot bug is the warning label

CVE-2026-48561, a 9.6-rated remote-code-execution vulnerability in Microsoft Copilot, deserves particular attention. According to Microsoft’s description, an unauthenticated attacker could host a malicious website that causes Edge for Android to automatically send crafted prompts to Copilot when a user visits. That could lead to code execution over a network.

There is a grim symmetry here. AI systems are helping vendors identify flaws in old software, while Microsoft is also shipping AI integrations that create fresh attack surfaces. Nobody should interpret that as an argument to abandon AI wholesale. But it is an argument for treating Copilot and similar tools as real production software with real security boundaries, not a harmless assistant tucked into the corner of an interface.

Organizations should consult the Microsoft Security Response Center update guide, identify exposed SharePoint and federation services first, and apply the relevant Microsoft security patches on an accelerated schedule. Endpoint teams should also verify that BitLocker policies, recovery keys, and device-access controls are actually configured as intended. Encryption with a sloppy key-management process is rather like locking the front door and taping the spare key to it.

Patch fatigue is now a security risk

Microsoft is not alone in increasing its security output. Adobe has said it will move to twice-monthly security bulletins, while Cisco, Mozilla, Oracle, and Google have all been issuing updates at a faster rhythm. Google’s June 2026 batches reportedly contained more than 900 fixes. The result is a software supply chain that is harder to secure because every change carries more risk.

For home users, I’d still recommend taking a backup before major operating-system updates, then installing Microsoft security patches promptly once Microsoft has had a short window to catch any obvious deployment failures. Enterprises need a more deliberate path: test rapidly, patch actively exploited and internet-facing products first, and communicate clearly when a restart or brief outage is unavoidable.

The uncomfortable question is whether monthly patching remains the right mental model at all. If AI keeps accelerating vulnerability discovery on both sides, Microsoft security patches may soon look less like a predictable calendar event and more like continuous maintenance. That is manageable only if vendors make updates smaller, safer, and easier to validate. Right now, the pile is growing faster than most IT teams can comfortably lift.

Sara Ali Emad
Sara Ali Emad
Im Sara Ali Emad, I have a strong interest in both science and the art of writing, and I find creative expression to be a meaningful way to explore new perspectives. Beyond academics, I enjoy reading and crafting pieces that reflect curiousity, thoughtfullness, and a genuine appreciation for learning.
RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular