Microsoft Corp. today released software updates to plug at least 570 security holes in its Windows operating systems and other software, almost triple the number of vulnerabilities the software giant fixed in its record-smashing Patch Tuesday release last month. Microsoft attributed the burgeoning patch counts to vulnerability discoveries aided by artificial intelligence.
Nearly 60 of the bugs quashed in July’s Patch Tuesday earned a “critical” severity rating, meaning miscreants or malware could use them to seize remote control over a Windows device with little or no help from the user. Microsoft also addressed three zero-day flaws, including two that are already being exploited in the wild.
Two of the zero-day weaknesses allow an attacker to elevate their user rights on a Windows system, as do approximately 250 other elevation of privilege flaws fixed this month; they include CVE-2026-56155 — an Active Directory Federation Services bug — and CVE-2026-56164, a Microsoft Sharepoint vulnerability.
CVE-2026-50661 is a security feature bypass in Windows BitLocker that could allow attackers to gain access to encrypted data if they have physical access to the device. Microsoft said this bug has been detailed publicly, but that it is not aware of any active exploitation.
In a blog post on July 9, Microsoft Executive Vice President Pavan Davuluri wrote that Windows users will notice “a higher volume of security updates included in each security release” as a result of AI aiding in the discovery of vulnerabilities.
“The pace of vulnerability discovery is changing with advances in AI making it possible to find more issues, faster, across more code, with new mechanisms that can accelerate both discovery and analysis,” Davuluri wrote.
Jack Bicer, director of vulnerability research at Action1, called attention to CVE-2026-48561, a remote code execution flaw in Microsoft Copilot (with a 9.6 CVSS threat score) that allows an unauthorized attacker to execute code over the network. Microsoft says an attacker could exploit this bug by hosting a malicious website that causes Microsoft Edge for Android to automatically send crafted prompts to Copilot when a user visits the site.
As AI advances the state of vulnerability discovery and remediation, it is also making it easier for attackers to quickly devise working exploits for known software flaws. Microsoft has long labeled security bugs using its “exploitability index,” which is Redmond’s best guess as to how likely it is that attackers will be able to figure out a reliable way to exploit a given vulnerability.
But Satnam Narang, senior staff research engineer at Tenable, argues that Microsoft’s exploitability index needs to do a better job of shifting with the machine speed of discovery. For example, Microsoft originally gave this month’s SharePoint zero-day an exploitability rating of “less likely,” although the flaw was added to CISA’s Known Exploited Vulnerabilities list on July 1.
“Anthropic’s Red Team’s own findings for known vulnerabilities (n-days) revealed how fragile this system has become, with its Mythos Preview model being able to produce proof-of-concept exploits for 13 of 14 vulnerabilities that were rated ‘Exploitation Less Likely’ or ‘Exploitation Unlikely,'” Narang said. “What this means is that our way of looking at Patch Tuesday has changed, because the exploitability index is centered around humans, not AI tools, and as these tools continue to improve, defense needs to improve alongside it.”
Chris Goettl at Ivanti observed that the record patch numbers from Microsoft come as a number of other major software makers are increasing their patch cadence, including Adobe which announced today it is moving to twice-monthly security bulletins published on the 2nd and 4th Tuesday of each month (Adobe also cited AI for accelerating their patch cycles). Cisco, Mozilla and Oracle also are shipping updates more frequently, while Google’s patch batches in June 2026 totaled more than 900 security fixes, Goettl noted.
Backing up your Windows system and/or data is always a good idea before applying operating system updates. Given the volume of patches addressed this month it may be wise for end users to wait a few days before applying these fixes. It’s not uncommon for security patches to introduce system stability issues, and those chances probably increase quite a bit with the gigantic patch count released today.
Further reading:
Still as confused as before … how could there be 570 flaws if Microsoft engineers are the ones doing the programming ? Is it carelessness or intentional ?
programming without bugs is between hard and impossible
security is an adversarial task, so bugs will be fund
Because much of this has existed for years, subtle mistakes made in various different ways that are not so obvious when created as they are when researched. Consider that this spans different languages, generations of people, billions of lines of code.
NO one person on earth can simply open and view it all. Ai is digging it out by brute force analytics that did not exist when most of it was written.
Try to butter some bread without crumbs coming off and then get back to me.
Humans are flawed creatures!
Those aren’t the only options, extraordinarily confused person.
An old joke about programming seems appropriate: “Every program has at least one bug and can be shortened by at least one instruction – from which, by induction, one can deduce that every program can be reduced to one instruction which doesn’t work.”
Appreciate the coverage man! This month was a monster!
How many of these AI discovered bugs are not really bugs/holes etc., but the fixes will create new, unforeseen problems?
None.
Many of the vulnerabilities are from chaining from one weakness to another. It takes humans time to do this, but AI does this much faster.
Given literally decades of work fixing stability bugs in the Microsoft codebase, it is not surprising these security bugs get now found. It will likely take many of these cycles. And as noted, new defects will be introduced.
Scrub scrub scrub!
Nothing interesting to me this Patch Tuesday. Still the same old crap. Good write-up, as per usual. Tired of these sorts of small AI-located bugs still being counted as some sort to pump up numbers, I assume, when they are basically just bugs not flaws. My only MS system showed no improvement. So, your usual Patch Tuesday.
It has improved security.
Yawn.
“Microsoft also addressed three zero-day flaws that are already being exploited in the wild.”
CVE-2026-50661, according to Microsoft is:
Publicly disclosed: Yes
Exploited: No
Exploitability assessment: Exploitation Less Likely
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-50661
If Microsoft used AI to write a complete Windows replacement OS fresh from the ground up, it would have almost zero security holes, require a lot less maintenance and would do away with tens of thousands of human coding and QA jobs inside Microsoft, meaning more profits for the investors!
I have done it myself on a local LLM. It is running great (only 100MB in memory) and I think it is very secure. And because it is so great, it doesn’t require maintenance at all!
Finally built out that qemu win 3.11/wfw instance with stripped out UI?
They should probably go back to their origins and build from win 98 and windows 2000, perhaps windows XP, and drop any lineage post win 7. Let AI slug it out instead of plopping it down with win 10/win 11.
Sincerely, that is a better option. I feel like we are not grasping the differences between how we code vs how AI code vs how Ai code vs how Dimon might code. I don’t wanna think about Dimon vibe coding. Thinking about Gates vibe coding suddenly sounds kind of fascinating, though. I do wonder how rich ex developers would vibe code now. I worry about how AI might be interested in how we all vibe code differently. Not so scary locally, damn creepy as a communistic concept. Hoping MS never patches any of my personal bugs/flaws. I am guessing those models are taking notes on the catwalk. :/
Nonsense. It would be just another one of their expensive fiascos. LLM code generators don’t know secure from insecure, just what they’re trained on. That’s why what drew my eye in Brian’s article was the mention of the “remote code execution flaw in Microsoft Copilot”. Mindless AI shovelware creates more problems than it’ll ever solve. An OS based on it would be a nightmare.
AI… Are you AI or not?
Great article and important reminder about the need for regular security updates. With the increasing number of vulnerabilities being discovered, staying informed and using reliable tools has become more important than ever. Resources like https://vanced.com.co/revanced-sync-for-lemmy/ also show how open-source communities continue to create useful solutions for users who value privacy and better digital experiences.
Impressive. Now let’s compaire: PC Mag, in 1995, reported that M$ was releasing Win95, ->in spite of over 64,000 known bugs and issues<-.
Do we imagine that number's decreased?
Microsoft advisory said, some Dell PC maybe cause loop reboots after July updates
Facts Only
* Microsoft released software updates for at least 570 security holes in Windows and other software in July.
* Nearly 60 vulnerabilities were rated as "critical."
* Three zero-day flaws were addressed, two of which were already being exploited.
* CVE-2026-56155 (Active Directory Federation Services) and CVE-2026-56164 (Sharepoint) are elevation of privilege flaws.
* CVE-2026-50661 is a security feature bypass in Windows BitLocker.
* CVE-2026-48561 is a remote code execution flaw in Microsoft Copilot with a CVSS score of 9.6.
* Pavan Davuluri, Microsoft Executive Vice President, attributed the increase in patch volume to AI-aided vulnerability discovery.
* Adobe announced a move to twice-monthly security bulletins on the 2nd and 4th Tuesday of each month.
* Google released over 900 security fixes in June 2026.
* Satnam Narang of Tenable noted that a SharePoint zero-day was added to CISA’s Known Exploited Vulnerabilities list on July 1.
Executive Summary
Microsoft has released a record-breaking set of security updates, patching over 570 vulnerabilities. This surge is attributed to the integration of artificial intelligence in the discovery and analysis of bugs, which allows for a faster pace of identification across massive codebases. While many of these fixes address "critical" risks and zero-day exploits—including a high-scoring remote code execution flaw in Microsoft Copilot—there is a notable tension regarding the accuracy of exploitability ratings.
Industry experts suggest that traditional "exploitability indexes" may now be obsolete because AI allows attackers to develop proof-of-concept exploits for "unlikely" vulnerabilities at machine speed. This trend is not isolated to Microsoft; companies like Adobe, Cisco, and Google are also increasing their patch frequency. Because the volume of changes is so high, there is an increased risk of system instability, leading to recommendations that end users maintain backups and potentially delay installation by a few days to ensure stability.
Full Take
The strongest version of this narrative is that we have entered a "machine-speed" era of cybersecurity where AI is simultaneously the greatest shield and the most potent sword. The acceleration of patch cycles is a rational response to a world where the window between vulnerability discovery and weaponization has effectively collapsed.
The underlying paradigm is one of "reductive complexity." We are seeing the fallout of decades of additive coding—billions of lines of legacy software—finally being audited by non-human intelligence. The tension here lies in the "Exploitability Index." When a human expert labels a flaw as "unlikely" to be exploited, they are measuring human effort. AI does not experience effort; it performs brute-force analytics. The gap between Microsoft's "Less Likely" rating and CISA's "Known Exploited" list suggests a dangerous lag in how defenders perceive risk versus how AI-driven attackers execute it.
This shift threatens to diminish human agency in system administration. When the volume of patches reaches a point where "waiting a few days" is a survival strategy to avoid instability, the user is caught in a double bind: risk a breach or risk a crash. The benefit accrues to the AI tool-builders, while the cost is borne by the end-user in the form of perpetual instability and a constant state of digital fragility.
Patterns detected: none
Root Cause: The collision of legacy human-written code (characterized by "subtle mistakes") with AI-driven discovery tools creates a visibility crisis that legacy risk-rating systems cannot quantify.
Bridge Questions: If AI can find 570 bugs in a month, does the concept of a "secure system" still exist, or is security now merely a race of update cadence? At what point does the instability caused by frequent patching become a greater operational risk than the vulnerabilities themselves?
Counterstrike Scan: A coordinated campaign would likely use this to push a "total rewrite" narrative to sell a specific AI-generated OS or security suite. The current content is descriptive and critical of the existing process, not promotional. Clean.
Sentinel — Human
The text appears to be a blend of factual reporting on Microsoft's patch cycle and a dense, stream-of-consciousness reflection on the role of AI in software development, exhibiting strong human authorial voice.
