微软修复了创纪录的 570 个安全漏洞
Microsoft Patches a Record 570 Security Flaws

原始链接: https://krebsonsecurity.com/2026/07/microsoft-patches-a-record-570-security-flaws/

微软发布了七月份破纪录的更新,修复了至少 570 个安全漏洞,数量几乎是上个月的三倍。该公司将这一激增归因于利用人工智能加速了漏洞发现。 此次更新包含了约 60 个“严重”缺陷和 3 个处于活跃状态的零日漏洞,其中包括微软 SharePoint 和 Active Directory 联合身份验证服务中的问题。值得注意的是,微软 Copilot 中一个高危的远程代码执行漏洞也得到了修复。 专家警告称,虽然人工智能有助于厂商更快地发现和修复漏洞,但也使攻击者能够更迅速地开发出漏洞利用程序。安全研究人员认为,微软传统的“可利用性指数”正变得过时,因为人工智能驱动的工具可以轻易证明,即便是“低风险”的漏洞也极易被利用。 在整个行业内,Adobe、思科和谷歌等主要厂商也在提高补丁的数量和频率。由于本月更新规模史无前例且可能导致系统不稳定,专家建议用户先备份数据,并考虑等待几天后再安装补丁。

Hacker News 最近的一场讨论指出,微软创纪录地发布了 570 个安全补丁,此外还修复了基于 Chromium 的 Edge 浏览器中的 428 个漏洞。 该话题在用户中引发了关于现代软件安全现状的辩论。许多人对如此庞大的 CVE(常见漏洞与披露)数量感到震惊,一些人质疑业界“快速行动并打破陈规”的开发文化是否是导致如此巨大攻击面的原因。批评者认为,现代软件的复杂性已经超过了安全防护能力,并指出即便是开源项目也无法幸免于此类漏洞。 反之,一些评论者指出,目前报告的漏洞数量部分归因于与二十年前相比更加严格的测试和更高的透明度。另一些人则强调,微软现在利用人工智能来识别这些缺陷,尽管一些用户怀疑人工智能驱动的发现方式可能无法替代更安全的初始编码实践。总体而言,这次对话反映了人们对软件漏洞反复出现,以及确保复杂的、高度互联的现代应用程序安全难度日益增加的深层挫败感。
相关文章

原文

Microsoft Corp. today released software updates to plug at least 570 security holes in its Windows operating systems and other software, almost triple the number of vulnerabilities the software giant fixed in its record-smashing Patch Tuesday release last month. Microsoft attributed the burgeoning patch counts to vulnerability discoveries aided by artificial intelligence.

A picture of a windows laptop in its updating stage, saying do not turn off the computer.

Nearly 60 of the bugs quashed in July’s Patch Tuesday earned a “critical” severity rating, meaning miscreants or malware could use them to seize remote control over a Windows device with little or no help from the user. Microsoft also addressed three zero-day flaws that are already being exploited in the wild.

Two of the zero-day weaknesses allow an attacker to elevate their user rights on a Windows system, as do approximately 250 other elevation of privilege flaws fixed this month; they include CVE-2026-56155 — an Active Directory Federation Services bug — and CVE-2026-56164, a Microsoft Sharepoint vulnerability.

CVE-2026-50661 is a security feature bypass in Windows BitLocker that could allow attackers to gain access to encrypted data if they have physical access to the device. Microsoft said this bug has been detailed publicly, but that it is not aware of any active exploitation.

In a blog post on July 9, Microsoft Executive Vice President Pavan Davuluri wrote that Windows users will notice “a higher volume of security updates included in each security release” as a result of AI aiding in the discovery of vulnerabilities.

“The pace of vulnerability discovery is changing with advances in AI making it possible to find more issues, faster, across more code, with new mechanisms that can accelerate both discovery and analysis,” Davuluri wrote.

Jack Bicer, director of vulnerability research at Action1, called attention to CVE-2026-48561, a remote code execution flaw in Microsoft Copilot (with a 9.6 CVSS threat score) that allows an unauthorized attacker to execute code over the network. Microsoft says an attacker could exploit this bug by hosting a malicious website that causes Microsoft Edge for Android to automatically send crafted prompts to Copilot when a user visits the site.

As AI advances the state of vulnerability discovery and remediation, it is also making it easier for attackers to quickly devise working exploits for known software flaws. Microsoft has long labeled security bugs using its “exploitability index,” which is Redmond’s best guess as to how likely it is that attackers will be able to figure out a reliable way to exploit a given vulnerability.

But Satnam Narang, senior staff research engineer at Tenable, argues that Microsoft’s exploitability index needs to do a better job of shifting with the machine speed of discovery. For example, Microsoft originally gave this month’s SharePoint zero-day an exploitability rating of “less likely,” although the flaw was added to CISA’s Known Exploited Vulnerabilities list on July 1.

“Anthropic’s Red Team’s own findings for known vulnerabilities (n-days) revealed how fragile this system has become, with its Mythos Preview model being able to produce proof-of-concept exploits for 13 of 14 vulnerabilities that were rated ‘Exploitation Less Likely’ or ‘Exploitation Unlikely,'” Narang said. “What this means is that our way of looking at Patch Tuesday has changed, because the exploitability index is centered around humans, not AI tools, and as these tools continue to improve, defense needs to improve alongside it.”

Chris Goettl at Ivanti observed that the record patch numbers from Microsoft come as a number of other major software makers are increasing their patch cadence, including Adobe which announced today it is moving to twice-monthly security bulletins published on the 2nd and 4th Tuesday of each month (Adobe also cited AI for accelerating their patch cycles). Cisco, Mozilla and Oracle also are shipping updates more frequently, while Google’s patch batches in June 2026 totaled more than 900 security fixes, Goettl noted.

Backing up your Windows system and/or data is always a good idea before applying operating system updates. Given the volume of patches addressed this month it may be wise for end users to wait a few days before applying these fixes. It’s not uncommon for security patches to introduce system stability issues, and those chances probably increase quite a bit with the gigantic patch count released today.

Further reading:

Action1’s Patch Tuesday blog

Automox’s rundown

联系我们 contact @ memedata.com