By the Numbers: A Historic Security Dump
Microsoft just shipped its biggest Patch Tuesday ever — and it’s not even close. The company closed 622 vulnerabilities in its own products, according to its Security Update Guide. That’s more than triple the previous record of around 200 flaws addressed in June 2024.
Put simply: This is a monster release. And among those hundreds of fixes, two stand out because attackers are already using them in real-world campaigns.
The Two Zero-Days You Need to Patch First
Both actively exploited bugs were reported by incident response teams. Microsoft credits those responders for each discovery — a sign that the company is leaning on frontline defenders to catch what automated scanners miss.
While the full technical details are still emerging, the pattern is familiar: one flaw likely enables remote code execution, the other a privilege escalation. Together, they give attackers a potent one-two punch. If you’re responsible for patching Windows systems, these two should be at the very top of your list.
What Makes a Zero-Day ‘Actively Exploited’?
Microsoft distinguishes between publicly known vulnerabilities and those under active attack. A zero-day under active exploitation means attackers have working code and are using it right now — not just proof-of-concept exploits floating around in research labs. That elevates the urgency significantly.
Why This Patch Tuesday Is Unprecedented
The sheer volume is staggering. Microsoft’s previous high was around 200 CVEs in a single month. Now we’re looking at 622 — a 200% increase. That’s not a gradual climb; it’s a spike. Analysts point to several drivers:
- More code, more bugs: Microsoft’s product surface area keeps expanding, especially with cloud services, AI features, and the ongoing integration of Windows and Office.
- Better detection: Internal and external researchers are finding flaws faster, partly thanks to improved tooling and bug bounty programs.
- Disclosure catch-up: Some of these CVEs may have been held back from previous releases and are now being shipped together.
Whatever the reasons, IT teams now face a massive patching workload. Prioritization isn’t optional — it’s survival.
How to Prioritize These Patches
With 622 fixes, you can’t install them all at once. Here’s a practical approach:
- Patch the two actively exploited zero-days immediately. These are the ones attackers are using right now. No delay.
- Fix critical-rated remote code execution bugs next. These don’t require user interaction and can spread like worms.
- Address privilege escalation flaws that could let an attacker gain admin rights after an initial foothold.
- Schedule the rest in your normal patch cycle, prioritizing internet-facing systems and servers.
Microsoft’s Security Response Center (MSRC) usually publishes a risk-based guide alongside Patch Tuesday. Check that before you start.
What This Means for Security Teams
Record patch volumes are becoming the new normal. In 2023, Microsoft shipped over 1,200 CVEs total. If this pace holds, 2024 could blow past 2,000. That’s a lot of updates for any organization to manage.
The key takeaway: Don’t treat every patch equally. Focus on the actively exploited bugs first, then the critical remote code execution flaws, then everything else. Automate what you can, but keep a human eye on the threat landscape.
Also worth noting: This record doesn’t mean Microsoft’s software is getting less secure. It means the detection and disclosure ecosystem is working. More bugs found and fixed before they become major incidents is a good thing — even if it hurts on patch day.
For now, get those two zero-days patched. The rest can wait a few days.