Microsoft has released software updates to plug at least 570 security holes

123 pointsposted 12 hours ago
by robin_reala

69 Comments

lionkor

39 minutes ago

If I find a bug in very important MS products, I usually do report them using their shitty feedback app. Not once has any of that yielded anything.

Maybe a way to find tons of high impact bugs would be to let MS developers access those bug reports?

charonn0

8 hours ago

It seems like bug hunting might be the one area where AI is actually making the world a better place.

ashleyn

8 hours ago

How many were introduced by misuse of AI coding/vibe coding though?

onion2k

26 minutes ago

Vibe-coded apps probably have loads, but mostly because they're using less capable models than the people who're doing the bug-hunting. Once vibe-coders are using models like Mythos too you should expect the number of bugs in vibe-coded apps to collapse quickly, because the LLM will write the bugs but will also fix them (assuming the system prompt tells it to.)

miffy900

6 hours ago

highly unlikely for many of them. SharePoint, bitlocker, Active directory, hyper-v, rdp, DHCP and MSMQ are all software/technologies that have decades of history and long pre-dated LLMs. seriously, do people not realise it was entirely possible to write insecure or bad code before LLMs?

shakna

5 hours ago

Sure, that's true.

It is also true that Copilot is currently in use developing Bitlocker and Sharepoint. So I wouldn't be confident saying it was one or the other.

warshinder

an hour ago

It’s like people don’t remember the whole outsourcing trend and all the awful code that came from that.

matwood

2 hours ago

> seriously, do people not realise it was entirely possible to write insecure or bad code before LLMs?

Some of these threads make me think every line of code written pre-LLMs was apparently perfect in all ways. Feels like romanticizing the past.

pjmlp

4 hours ago

Especially if they made heavy use of offshoring, which I would bet they did.

ColdStream

2 hours ago

It is hard to tell, the code may genuinely be decent quality or not.

That is the issue with vibe coding. Increased output but reduced understanding. So if something does go wrong, one has to hope that there is still enough understanding to address it quickly.

Leherenn

2 hours ago

For what it's worth, at my workplace AI has uncovered quite a few issues that have been there for a decade or two and survived countless rounds of careful reviews, external security analysis, pen testing and so forth for all those years.

damian260

an hour ago

The distinction I'd draw is between AI-assisted and AI-generated. Using AI to write isolated functions you understand and review is different from prompting your way to a complete system you can't debug. The second case is where you get surprising failures at runtime that no amount of linting catches.

DANmode

7 hours ago

How many were known, and put on the roadmap because war got hot?

stackghost

7 hours ago

At Microslop? Evidently, lots.

beebmam

4 hours ago

99.9% of people complaining about AI making the world a worse place would be fully happy with AI if they shared in the economic benefits of automation.

azinman2

4 hours ago

Not if it ends up deskilling society and taking away what brings us meaning in life.

ivell

3 hours ago

I don't see why AI would deskill what you love to do. People still do embroidery even though mass manufacturing exists. If you love something you would continue doing it irrespective of automation.

wood_spirit

3 hours ago

For a lot of people it’s not the job that is rewarding it the role having a job gives them in life and home life. Financially contributing to the household through earning it through work is a meaningful and rewarding thing that can define the near total of how good you feel about yourself thing even if you don’t like the job?

voidUpdate

an hour ago

But do people make a living doing embroidery by hand? Or is it more of a hobby?

close04

42 minutes ago

For better or worse this round of "automation" will hit harder than most others because it comes for what makes you you. Your brain, not your body. The industrial revolution replaced your body, this one could in theory replace you entirely. And it isn't coming for some job, it comes for most. It's not just a hobby but being able to do the job. You are replacing 10000 types of jobs with 1 type: AI prompter. We'll probably have an AI just to help ask for the right thing.

You have transferred all the skills and knowledge to the AI. When the skills are gone, who's going to teach you to do any non-trivial job? What will give you any sense of accomplishment when all you do is ask the AI but have no capability yourself?

Even if you have a guaranteed income, because "your AI" is getting paid for the work, where will you be with close to 0 contribution to anything? Maybe we're overreacting and this will never be an issue. I know we shouldn't take cues from fiction to predict reality but it's hard not to picture a world with a combination of Idiocracy and Wall-e (or the famous "Paradise" Matrix) where we decay because the change is so fundamental that we aren't ready to adapt.

ares623

3 hours ago

Yes. I love eating pieces of string. I'm partial to wool myself, really filling.

I suppose you're a cake enjoyer, miss Marie Antoinette?

blitzar

an hour ago

for your first couple of B you stop complaining about anything

parineum

3 hours ago

I've been benefitting from automation my entire life. I don't see why anything would change when that automation is driven by language models.

fuckinpuppers

5 hours ago

This is great. Now ask Mythos to make windows suck less and let it go crazy.

ColdStream

2 hours ago

Deletes Windows 11

Installs Windows 7 with new patches

throwaway27448

an hour ago

What would be the point of any of this if the registry is still there? It'd just a particularly shit version of linux window management that happens to run games well

Cthulhu_

38 minutes ago

The registry was never an issue tbh, it's just a database that some companies decided to fearmonger about to sell you "registry cleaners".

But if I'm wrong, please do point us in the direction of known issues with the registry.

blitzar

an hour ago

Installs Windows 3.11 with no new patches

JSTucker

2 hours ago

If you want an easy way to view these I made https://wofa.dev to keep track of windows updates and security patches in a single place

ReactiveJelly

5 hours ago

They should patch that Global Device ID thing

:^)

devin

5 hours ago

How many are chained, and how many patches are defense-in-depth after discovering chained paths to that flaw?

shevy-java

an hour ago

It is time to abandon Microsoft.

freitasm

9 hours ago

I wonder how many bugs will be introduced with these fixes...

Cthulhu_

36 minutes ago

It depends on how good their testing practices and code review / auditing are. I want to believe they are some of the best in the industry, but that's making assumptions.

But jumping to assumptions that fixes introduce bugs is a bit rash and assumes incompetence / unprofessionality / unmonitored AI usage / kneejerk bugfix processes.

ColdStream

2 hours ago

Fix one and add two.

There used to be a brilliant weather app here in Oz back in the early days of iOS. I always loved the update notes the author provided. One was "Fixed one grammatical error and introduced another one, can you find it?"

hulitu

4 hours ago

They don't introduce bugs. They introduce feature experiences.

gred

3 hours ago

Emergent product roadmap in action.

ronsor

9 hours ago

No bugs, only intentional backdoors

lousken

8 hours ago

It would be nice if microsoft had windows update for .net, visual c++, office, windows, edge ... just all their software in one updater, but that would be too easy...

netsharc

8 hours ago

Isn't that... Windows Update? At least last time I looked it would update .net runtimes, Office, what else? OK, Visual Studio has its own update mechanism. Edge is part of the OS, isn't it?

miffy900

6 hours ago

it's still an opt-in setting though. Windows and OS-components like drivers and Edge do get auto updated yes, but to enable Microsoft Update, you still need to turn on a setting in the Settings app. even setting up a new PC/laptop with windows, this is off by default.

lousken

an hour ago

e.g. visual c++ isnt included tho

leumon

29 minutes ago

It's (somewhat) possible with winget already.

jayd16

6 hours ago

It did work that way for .NET versions but the patches and upgrades caused too many bugs and incompatibility. Folks would install old .net versions anyway.

The pattern moved to packaging in all your dependencies.

Winget/Microsoft Store etc could auto-update your apps even with packaged .NET DLLs, though.

nobodyandproud

8 hours ago

You mean…service packs?

anonymars

6 hours ago

No, "Microsoft Update" is what it was once called (see e.g. https://learn.microsoft.com/en-us/windows/deployment/update/...)

Cthulhu_

35 minutes ago

Can't believe that at one point Windows could do updates through a browser interface.

I mean we've gone full circle and are now deploying browser interfaces as full blown applications to get around the bit where you give a browser system access, but still.

dhx

4 hours ago

Title is not correct. Microsoft didn't patch a lot of this, they're reporting patches for dependencies that other people patched and Microsoft are inheriting.

For example, Mariner (now branded Azure Linux) is a Microsoft-supported Linux distribution. So in this list of 570 vulnerabilities, Microsoft have reported 100 vulnerabilities inherited from all sorts of open source software projects included in their Azure Linux distribution. The OpenSSH vulnerabilities are described in better detail at https://www.openssh.org/releasenotes.html where it implies 2 vulnerabilities were detected with Swival Security Scanner (using LLMs) and another 6 by other researchers/companies (using undisclosed methods).

As an example of one of the OpenSSH vulnerabilites CVE-2026-59996 which is attributed to Swival Security Scanner, Swival have published the output of their automated vulnerability detection report at https://github.com/Swival/security-audits/blob/main/openssh/...

naturalmovement

9 hours ago

Sounds like a lot but compare it to Edge also being patched for 428 Chromium CVEs this month.

If 20 years ago you told me a single piece of software had 428 vulnerabilities I wouldn't have believed it.

If Chromium has that many security bugs, perhaps the move fast and break things approach of spraying diarrhea masquerading as code into a keyboard — in a rush to add new features no one asked for — needs to be reexamined.

Cthulhu_

34 minutes ago

Chromium is a three-decades-long project (origins coming from Webkit, which comes from KHTML, which was 1998) - I can assure you that does not meet the "move fast and break things" phrase you're trying to smear it with.

hilariously

an hour ago

Chromium is probably 30 million+ lines of code, and we generally see that as things get more complex its even easier to accidentally write code which can be exploited.

If it has 1 vulnerability in every 10k loc of code we'd be talking about 3,000 vulns (with no churn) - we used to care about defect density, and most software wouldn't go more than a few hundred lines without SOME bug, whether that's a "vulnerability" is often a layered question.

sellmesoap

4 hours ago

20 years ago a malformed packet to winsock would crash the computer, 5 years later installing win2k on my buddies computer (no router/firewall) a few minutes after we finished the install "windows will reboot in nn seconds" whelp time to re-install without a network connection... we've added a lot of layers since win2k, mostly in the name of ease of development, and I don't feel like we've met that goal but we sure found a way to get a million monkies behind a million typwriters, and now we're aiming to replace the monkies with simulated monkies. Time to smell my fingers and fall out of the tree ;-D

tokioyoyo

9 hours ago

20 years ago software wasn't as much battle tested as today, had way less feature set, was less connected to the internet, and etc. 428 CVEs looks small, assuming not all have CVSS 9.8 or something.

Cthulhu_

32 minutes ago

20 years ago was 2006, I can assure you we were very consciously aware of things being permanently connected to the internet by then.

That said, sure, it had a fraction of the features back then, and only a fraction of the world population was connected to the internet.

lousken

8 hours ago

It was more tested as real testers were testing it. Nowadays, AI just checks the code.

Cthulhu_

31 minutes ago

Is that true or an assumption? I don't think Chrome and co would discard their decades worth of automated testing practices in favor of AI.

Actually I don't need to think / assume, it's an open source project.

georgemcbay

9 hours ago

> If 20 years ago you told me a single piece of software had 428 vulnerabilities I wouldn't have believed it.

For something as complex as an operating system or a web browser, even one from 20 years ago (say, Windows XP or IE/Firefox) I wouldn't have believed there were 428 vulnerabilities either, I would have assumed there were much more than that.

encom

4 hours ago

>features no one asked for

Google asked for them. That's all that matters.

dylan604

9 hours ago

Even if it had the Microsoft logo attached? Windows was always known to not be the most secure of products. I can't imagine anything else from the same company would be any better

gerdesj

9 hours ago

"Microsoft attributed the burgeoning patch counts to vulnerability discoveries aided by artificial intelligence."

If only real intelligence found the fucking things instead.

As ye sew, so shall ye reap!

Cthulhu_

30 minutes ago

By all means, show us your records of finding vulnerabilities that thousands of engineers and security researchers missed over decades.

Not sure what the biblical quote is about either.

d0100

9 hours ago

An employee just got phished by adding a number to a legitimate deviceAdd login route that bypasses 2FA and adds a device with full access to office and mail

Probably working as intended...

shakna

5 hours ago

Sounds like one of ADOs recent security misconfiguration vulnerability announcements. The customer is blamed, for not quite hardening everything the right way, when ADO config is... A sizeable task.

xorl

9 hours ago

I always click NO to these, that's full human error. edit: The underlying issue is that they send a 2FA before asking for a password at all.