Microsoft Fixes Record 570 Security Flaws in One Patch

▼ Summary
– Microsoft released updates fixing at least 570 security holes, nearly triple last month’s record, attributing the increase to AI-assisted vulnerability discovery.
– Nearly 60 bugs received a “critical” severity rating, allowing remote takeover, and three zero-day flaws were addressed, with two already exploited in the wild.
– Two zero-day flaws enable privilege escalation, alongside about 250 other elevation of privilege fixes, including bugs in Active Directory Federation Services and SharePoint.
– CVE-2026-50661 is a publicly detailed BitLocker security bypass that could expose encrypted data if attackers have physical access, though no active exploitation is known.
– Experts note that AI accelerates both vulnerability discovery and exploit development, questioning Microsoft’s exploitability index, as AI tools can easily exploit flaws rated “less likely” to be exploited.
Microsoft has unleashed a monumental security update, addressing a staggering 570 vulnerabilities across its Windows ecosystem and other software products. This July Patch Tuesday release nearly triples the previous record set just last month, a surge the company attributes directly to AI-driven vulnerability discovery tools.
Among the flaws patched, nearly 60 carry a “critical” severity rating. These bugs could allow attackers or malware to remotely take control of a Windows device with minimal user interaction. The update also tackles three zero-day vulnerabilities, two of which are already under active exploitation in real-world attacks.
Two of those zero-days, along with roughly 250 other elevation of privilege flaws, allow an attacker to gain higher-level system rights. Specific examples include CVE-2026-56155, a bug in Active Directory Federation Services, and CVE-2026-56164, a flaw in Microsoft SharePoint. Another notable fix is CVE-2026-50661, a security feature bypass in Windows BitLocker. While Microsoft has made details of this bug public, it states no active exploitation has been observed. An attacker would need physical access to a device to exploit it.
In a July 9 blog post, Microsoft Executive Vice President Pavan Davuluri explained that users should expect a higher volume of security updates in each release. “The pace of vulnerability discovery is changing with advances in AI making it possible to find more issues, faster, across more code,” Davuluri wrote. He highlighted that new mechanisms are accelerating both discovery and analysis.
Jack Bicer, director of vulnerability research at Action1, flagged CVE-2026-48561, a remote code execution flaw in Microsoft Copilot with a severe 9.6 CVSS score. This bug lets an unauthorized attacker execute code over the network. Bicer noted that an attacker could exploit it by hosting a malicious website. When a user visits the site using Microsoft Edge for Android, it automatically sends crafted prompts to Copilot.
While AI accelerates vulnerability discovery and patching, it also empowers attackers to quickly develop working exploits for known flaws. Microsoft has long used its exploitability index to estimate the likelihood of reliable exploitation. However, Satnam Narang, senior staff research engineer at Tenable, argues this index must evolve. He pointed out that Microsoft initially rated this month’s SharePoint zero-day as “less likely” to be exploited, even though it was added to CISA’s Known Exploited Vulnerabilities list on July 1.
“Anthropic’s Red Team’s own findings for known vulnerabilities (n-days) revealed how fragile this system has become,” Narang said. He explained that their Mythos Preview model produced proof-of-concept exploits for 13 of 14 vulnerabilities rated “Exploitation Less Likely” or “Exploitation Unlikely.” “Our way of looking at Patch Tuesday has changed, because the exploitability index is centered around humans, not AI tools,” he added. “As these tools continue to improve, defense needs to improve alongside it.”
Chris Goettl at Ivanti noted that Microsoft’s record patch numbers coincide with increased patch cadences from other major software makers. Adobe announced it is moving to twice-monthly security bulletins, also citing AI for accelerating cycles. Cisco, Mozilla, and Oracle are shipping updates more frequently, while Google’s June 2026 patch batches topped 900 security fixes.
As always, backing up your Windows system or data before applying operating system updates is a wise practice. Given the sheer volume of patches this month, end users may want to wait a few days before installing them. Security patches can sometimes introduce system stability issues, and that risk likely increases with such a massive patch count.
(Source: Krebs on Security)