Microsoft Ships 139 Security Fixes, Flagging CVSS 9.8 Windows RCEs for Fast Patching
Updated
Updated · Computerworld · May 15
Microsoft Ships 139 Security Fixes, Flagging CVSS 9.8 Windows RCEs for Fast Patching
1 articles · Updated · Computerworld · May 15
139 updates across Windows, Office, .NET and SQL Server landed in Microsoft’s May Patch Tuesday, with no zero-days but enough critical flaws to trigger “Patch Now” guidance for Windows, Office and Edge-managed environments.
Three unauthenticated network bugs drive the urgency: Netlogon and DNS Client RCEs at CVSS 9.8, plus a Microsoft SSO plugin flaw for Jira and Confluence; Microsoft also patched 11 TCP/IP issues and two CLFS elevation-of-privilege bugs.
Four Word Preview Pane RCEs rated 8.4 can fire just by previewing a malicious file in Outlook or File Explorer, while SharePoint Server and SQL Server each received high-severity remote-code-execution fixes.
Testing is focused on internet-facing services, domain controllers and Office endpoints, with Microsoft marking the WinSock driver and optional Telnet client as higher-regression components and urging validation of SQL Server, Hyper-V, clustering and Active Directory workloads.
Windows 10 and Windows Server still carry April’s BitLocker recovery condition on some PCR7 configurations, even as Microsoft pushes Secure Boot certificate rollover ahead of key expirations between June and October 2026.
With critical certificates expiring soon, could millions of Windows PCs fail to boot or receive vital security updates?
As AI now discovers critical security flaws, are we entering an endless AI-driven cyber arms race?