
Microsoft’s record-breaking July security update, potentially covering more than 600 Common Vulnerabilities and Exposures (CVEs), signals a shift in how software flaws are discovered and managed, according to managed service provider executives.
AI Models Accelerate Discovery
For months, the industry has anticipated that powerful AI models would increase the rate at which software flaws are found. The recent release appears to confirm this shift, as hundreds of vulnerabilities were patched in a single day.
Dustin Childs, head of threat awareness at TrendAI, counted 621 new Microsoft CVEs for the July update, which he called “astonishing.” This number dwarfs the 206 CVEs covered in June and the typical monthly count of fewer than 100 seen in previous years. Of these, 63 were rated “critical,” though only two were listed as under active exploitation.
Microsoft has been using AI to find bugs for years. In April, the company announced Project Glasswing, a program that gives Anthropic access to its systems to find vulnerabilities in Microsoft products. OpenAI has provided similar access through the Trusted Access for Cyber initiative. The scale of this month’s disclosure suggests these tools are now producing results on a massive level.
The use of AI in vulnerability discovery is a significant development, as it allows for the identification of flaws that may have gone undetected by human researchers. This, in turn, enables Microsoft to address potential security issues before they can be exploited by malicious actors. The fact that Anthropic’s Claude Mythos model and OpenAI’s models are being used for this purpose highlights the importance of AI in modern cybersecurity.
The New Patching Reality
Executives say the flood of flaws changes how they handle security. Travis Woods, strategic executive advisor at Fort Point IT, believes the industry has moved past a point where human defenders can compete with automated attackers. “It’s AI against AI. Because AI against human is done,” he said.
Related: HPE Jenson On Sales Strategy And Pricing To Win
With so many bugs to address, simply prioritizing by the severity rating is no longer enough. Woods noted that MSPs must pull in more data to decide which patches matter most for each customer environment. Zack Finstad, vice president of cybersecurity at Logically, agreed that organizations will have to evaluate the specific risks their unique setups face.
This scale of discovery presents a difficult logistical challenge for IT teams. Because so many flaws are fixed at once, the traditional process of thorough testing and validation in labs before deployment is becoming harder to maintain. “We may not have the time to do the diligence that we’ve always done,” Finstad said. “We may just have to buckle down, patch and deal with the fallout that comes out afterwards.”
The need for more efficient patching processes is exacerbated by the fact that not all vulnerabilities can be addressed immediately. Organizations must therefore develop strategies for evaluating the risks associated with delaying patches for certain CVEs. This requires a deep understanding of the specific threats posed by each vulnerability, as well as the potential consequences of not addressing them promptly.
Furthermore, the increased use of AI in vulnerability discovery raises questions about the potential for threat actors to leverage similar capabilities. As Finstad noted, it is likely only a matter of time before malicious actors gain access to powerful AI tools, which could significantly escalate the threat setting. This highlights the need for organizations to stay ahead of the curve in terms of their security postures, investing in the latest technologies and strategies to protect themselves against emerging threats.
The long-term implications of this shift in vulnerability discovery and management are significant. As Woods observed, the traditional model of patching, where organizations focus on processing a monthly list of vulnerabilities, is no longer tenable. Instead, patching will become a continuous process, with organizations constantly evaluating and prioritizing risks in order to stay secure. This requires a fundamental transformation in the way that IT teams approach security, with a greater emphasis on proactive risk management and strategic decision-making.
