Microsoft fixes record 570 security flaws as AI finds more bugs
Microsoft said AI-assisted discovery helped produce a larger Patch Tuesday release, including fixes for two exploited zero-day flaws.
By Theo Nakamura · Staff Writer
· 3 min read
Microsoft pushed out fixes for a record 570 security vulnerabilities across Windows, Office and other products this week, according to the company’s monthly security release. For investors and customers, the update shows how AI is starting to change the basic plumbing of software: it can help find more flaws faster, but that also means more fixes to review and install.
The release landed Tuesday as part of Microsoft’s regular security update cycle, commonly known by security researchers as Patch Tuesday. A patch is a software update that closes a bug or weakness before attackers can keep using it.
Microsoft said last week in a Windows blog post that users should expect a larger-than-usual batch of fixes. The company attributed the jump to employees using artificial intelligence to identify security problems that had not been found before.
“As AI helps defenders discover more issues, customers will see a higher volume of security updates included in each security release,” Windows chief Pavan Davuluri said in the blog post.
Two of the vulnerabilities fixed in the release were zero-days, according to Microsoft’s security advisories and the U.S. Cybersecurity and Infrastructure Security Agency. A zero-day is a flaw that attackers exploit before the software maker knows about it or has a fix ready.
One of the zero-days affected Windows Server, Microsoft’s operating system for business servers. Microsoft’s advisory said the flaw could let an attacker raise their access from a limited account to system administrator. That kind of bug is known as privilege escalation, meaning a hacker starts with restricted permissions and then gains deeper control of the system.
The other zero-day affected SharePoint, Microsoft’s file-sharing and collaboration server. CISA warned that attackers were actively exploiting the SharePoint flaw to break into organizations.
Krebs on Security first reported the record patch count.
The bigger release does not mean Microsoft suddenly created hundreds of new bugs this month. Microsoft’s explanation points to a different dynamic: as AI models get better at reviewing code for security issues, defenders may be able to surface older weaknesses that sat unnoticed inside large software products.
That matters for companies that run Microsoft software because patch volume can become an operations issue. Each fix can reduce security risk, but businesses still need to test and deploy updates across their own systems. For a company as widely used as Microsoft, that monthly maintenance cycle touches corporate networks, government agencies and smaller businesses that rely on Windows, Office, SharePoint and related products.
The release also highlights a broader AI tradeoff in cybersecurity. The same class of tools that can help defenders find hidden flaws can increase the pace of discovery overall. Microsoft’s message to customers is that more AI-assisted bug hunting may lead to more security updates, at least as previously unknown vulnerabilities come to light.
This story draws on original reporting from TechCrunch.