A massive wave of security updates landed this week, as Microsoft raced to patch a staggering 167 vulnerabilities. This represents the second-largest Patch Tuesday in history, a critical response to an escalating threat landscape.
The scope of these updates is far-reaching, extending beyond Windows and Office to encompass Microsoft’s cloud services. Worryingly, one Office vulnerability is already being actively exploited by attackers, and details of an exploit for a Defender flaw were publicly known *before* a fix was available.
Eight of the identified vulnerabilities are classified as “critical,” demanding immediate attention. The vast majority of the remaining issues are considered “high risk,” meaning they pose a significant threat to system security.
Within the Office suite, fourteen vulnerabilities have been addressed, including ten that could allow attackers to execute code remotely. Three of these – affecting Word and Office generally – are deemed critical, and exploit a dangerous weakness: the preview pane. A malicious file doesn’t even need to be opened to trigger an attack.
A particularly concerning issue is a zero-day vulnerability in SharePoint Server 2016 and 2019. This flaw, already exploited in the wild, allows attackers to view and manipulate information, though access restrictions remain intact. Details surrounding the exploitation remain limited.
The bulk of the updates – 131 in total – target various versions of Windows (10, 11, and Server). These address a wide range of security concerns, including a previously known “elevation of privilege” vulnerability in Defender. The researcher who discovered this flaw, frustrated with the initial response, publicly released a proof-of-concept exploit.
Four critical vulnerabilities within Windows allow for remote code execution. These include flaws in the core TCP/IP stack and the Internet Key Exchange (IKE) service, both of which are considered potential pathways for worm-like attacks that could spread rapidly.
The Remote Desktop Client also harbors a critical vulnerability, requiring a user to connect to a compromised Remote Desktop server. Another critical flaw exists in Active Directory, demanding user login credentials and proximity on the same network segment.
Rounding out the critical vulnerabilities is a rare “Denial of Service” flaw in the .NET Framework. This allows an attacker to potentially cripple any application built on .NET, simply by overwhelming it with network traffic.
The Edge browser also received a significant update, addressing 60 Chromium vulnerabilities in addition to Edge-specific flaws. This update, version 147.0.3912.60, is crucial for maintaining a secure browsing experience.
The next scheduled Patch Tuesday is May 12th, 2026. Vigilance and prompt application of these updates are paramount in safeguarding systems against evolving cyber threats.