Remix.run Logo
Microsoft Patches a Record 570 Security Flaws(krebsonsecurity.com)
75 points by robin_reala 8 hours ago | 34 comments
charonn0 4 hours ago | parent | next [-]

It seems like bug hunting might be the one area where AI is actually making the world a better place.

beebmam 16 minutes ago | parent | next [-]

99.9% of people complaining about AI making the world a worse place would be fully happy with AI if they shared in the economic benefits of automation.

azinman2 9 minutes ago | parent [-]

Not if it ends up deskilling society and taking away what brings us meaning in life.

ashleyn 4 hours ago | parent | prev [-]

How many were introduced by misuse of AI coding/vibe coding though?

miffy900 3 hours ago | parent | next [-]

highly unlikely for many of them. SharePoint, bitlocker, Active directory, hyper-v, rdp, DHCP and MSMQ are all software/technologies that have decades of history and long pre-dated LLMs. seriously, do people not realise it was entirely possible to write insecure or bad code before LLMs?

shakna 2 hours ago | parent [-]

Sure, that's true.

It is also true that Copilot is currently in use developing Bitlocker and Sharepoint. So I wouldn't be confident saying it was one or the other.

stackghost 3 hours ago | parent | prev | next [-]

At Microslop? Evidently, lots.

DANmode 4 hours ago | parent | prev [-]

How many were known, and put on the roadmap because war got hot?

fuckinpuppers an hour ago | parent | prev | next [-]

This is great. Now ask Mythos to make windows suck less and let it go crazy.

ReactiveJelly an hour ago | parent | prev | next [-]

They should patch that Global Device ID thing

:^)

kingforaday 2 hours ago | parent | prev | next [-]

Full July 2026 Summary: https://www.bleepingcomputer.com/microsoft-patch-tuesday-rep...

devin an hour ago | parent | prev | next [-]

How many are chained, and how many patches are defense-in-depth after discovering chained paths to that flaw?

lousken 5 hours ago | parent | prev | next [-]

It would be nice if microsoft had windows update for .net, visual c++, office, windows, edge ... just all their software in one updater, but that would be too easy...

netsharc 4 hours ago | parent | next [-]

Isn't that... Windows Update? At least last time I looked it would update .net runtimes, Office, what else? OK, Visual Studio has its own update mechanism. Edge is part of the OS, isn't it?

miffy900 2 hours ago | parent [-]

it's still an opt-in setting though. Windows and OS-components like drivers and Edge do get auto updated yes, but to enable Microsoft Update, you still need to turn on a setting in the Settings app. even setting up a new PC/laptop with windows, this is off by default.

jayd16 2 hours ago | parent | prev | next [-]

It did work that way for .NET versions but the patches and upgrades caused too many bugs and incompatibility. Folks would install old .net versions anyway.

The pattern moved to packaging in all your dependencies.

Winget/Microsoft Store etc could auto-update your apps even with packaged .NET DLLs, though.

nobodyandproud 5 hours ago | parent | prev [-]

You mean…service packs?

anonymars 2 hours ago | parent [-]

No, "Microsoft Update" is what it was once called (see e.g. https://learn.microsoft.com/en-us/windows/deployment/update/...)

freitasm 5 hours ago | parent | prev | next [-]

I wonder how many bugs will be introduced with these fixes...

hulitu 13 minutes ago | parent | next [-]

They don't introduce bugs. They introduce feature experiences.

ronsor 5 hours ago | parent | prev [-]

No bugs, only intentional backdoors

naturalmovement 5 hours ago | parent | prev | next [-]

Sounds like a lot but compare it to Edge also being patched for 428 Chromium CVEs this month.

If 20 years ago you told me a single piece of software had 428 vulnerabilities I wouldn't have believed it.

If Chromium has that many security bugs, perhaps the move fast and break things approach of spraying diarrhea masquerading as code into a keyboard — in a rush to add new features no one asked for — needs to be reexamined.

sellmesoap 24 minutes ago | parent | next [-]

20 years ago a malformed packet to winsock would crash the computer, 5 years later installing win2k on my buddies computer (no router/firewall) a few minutes after we finished the install "windows will reboot in nn seconds" whelp time to re-install without a network connection... we've added a lot of layers since win2k, mostly in the name of ease of development, and I don't feel like we've met that goal but we sure found a way to get a million monkies behind a million typwriters, and now we're aiming to replace the monkies with simulated monkies. Time to smell my fingers and fall out of the tree ;-D

tokioyoyo 5 hours ago | parent | prev | next [-]

20 years ago software wasn't as much battle tested as today, had way less feature set, was less connected to the internet, and etc. 428 CVEs looks small, assuming not all have CVSS 9.8 or something.

lousken 5 hours ago | parent [-]

It was more tested as real testers were testing it. Nowadays, AI just checks the code.

pixl97 3 hours ago | parent [-]

I guess we should find some of this old source code and test it for exploits to see what is true.

fragmede 3 hours ago | parent [-]

https://github.com/microsoft/ms-dos

encom 37 minutes ago | parent | prev | next [-]

>features no one asked for

Google asked for them. That's all that matters.

georgemcbay 5 hours ago | parent | prev | next [-]

> If 20 years ago you told me a single piece of software had 428 vulnerabilities I wouldn't have believed it.

For something as complex as an operating system or a web browser, even one from 20 years ago (say, Windows XP or IE/Firefox) I wouldn't have believed there were 428 vulnerabilities either, I would have assumed there were much more than that.

dylan604 5 hours ago | parent | prev [-]

Even if it had the Microsoft logo attached? Windows was always known to not be the most secure of products. I can't imagine anything else from the same company would be any better

gerdesj 5 hours ago | parent | prev | next [-]

"Microsoft attributed the burgeoning patch counts to vulnerability discoveries aided by artificial intelligence."

If only real intelligence found the fucking things instead.

As ye sew, so shall ye reap!

d0100 5 hours ago | parent | prev [-]

An employee just got phished by adding a number to a legitimate deviceAdd login route that bypasses 2FA and adds a device with full access to office and mail

Probably working as intended...

shakna an hour ago | parent | next [-]

Sounds like one of ADOs recent security misconfiguration vulnerability announcements. The customer is blamed, for not quite hardening everything the right way, when ADO config is... A sizeable task.

xorl 5 hours ago | parent | prev [-]

I always click NO to these, that's full human error. edit: The underlying issue is that they send a 2FA before asking for a password at all.