Technology
Microsoft’s giant July security update is a patch-now signal, not a panic button
Microsoft’s unusually large July security release deserves calm, practical action: update consumer devices, prioritize exploited SharePoint and AD FS flaws, and ignore the sales panic.

Technology reporting
Microsoft’s July security release is the kind of update that sounds scarier than it should — and still deserves real attention. On July 14, Microsoft published its July 2026 Security Updates, an unusually large batch that the company’s own release note says includes 622 Microsoft CVEs, plus 428 republished non-Microsoft Chromium CVEs. The affected product families are broad: Windows, Office, SharePoint Server, Exchange Server, SQL Server, Microsoft Edge, Defender, Azure, developer tools and several “other” products.
The practical takeaway is not “your Windows PC is doomed.” It is simpler and more useful: this is a month when delaying updates creates unnecessary exposure, especially for organizations running SharePoint Server or Active Directory Federation Services, and for households that let Windows, Office, Edge, mobile apps, and games update only when someone remembers.
What changed is the scale and the mix. Microsoft’s release note lists 416 Windows vulnerabilities, 82 Office vulnerabilities, 46 Edge vulnerabilities, 17 SharePoint Server vulnerabilities, 8 SQL Server vulnerabilities, 5 Exchange Server vulnerabilities, 5 Defender vulnerabilities, and 11 Azure vulnerabilities. Security reporter Brian Krebs separately counted at least 570 security holes in Microsoft products and noted that nearly 60 received a “critical” severity rating. Those numbers are not identical because vendors, CVE records, and reporters count product groupings and republished items differently. The point is not the trophy number. The point is that this was not a small housekeeping patch.
Three of the Microsoft flaws in the July release are marked by Microsoft as exploited. CISA has also added them to its Known Exploited Vulnerabilities catalog: CVE-2026-56155 in Active Directory Federation Services, CVE-2026-56164 in SharePoint Server, and CVE-2026-58644 in SharePoint. CISA listed the SharePoint elevation-of-privilege issue with a July 17 due date for covered federal agencies, the SharePoint remote-code-execution issue with a July 19 due date, and the AD FS issue with a July 28 due date. Those dates are federal remediation deadlines, not magic safety lines for everyone else, but they are a useful signal about priority.
For ordinary readers, this matters in two different ways.
First, many people are indirectly affected by enterprise systems they never touch by name. SharePoint and AD FS live behind company portals, school systems, intranets, document workflows, and sign-in infrastructure. If an employer, university, health system, contractor, or government office runs those systems, the risk is not that a random person at home needs to configure SharePoint. The risk is that unpatched business identity and collaboration systems can become a path into sensitive accounts, documents, and downstream phishing. That is why the advice for employees is not “be your own IT department.” It is to stop treating forced restarts, sign-in prompts, and update notices as pure nuisance when your organization says a security update window is coming.
Second, Microsoft’s July list includes products normal people do use directly. Windows updates are cumulative for Windows 10 and Windows 11, meaning the monthly security release carries the security fixes for supported versions along with other fixes. The release also includes Edge and Office fixes. Microsoft’s records list a BitLocker security-feature-bypass vulnerability, CVE-2026-50661, as publicly known but not exploited according to Microsoft. That one requires physical access, which lowers the risk for a laptop sitting at home and raises the risk for lost, stolen, shared, or seized devices. “Physical access required” is not nothing; it just means the threat model is different.
There is also a consumer-gaming angle that is easy to miss. Microsoft fixed CVE-2026-50663, a remote-code-execution vulnerability in Age of Empires II: Definitive Edition. Microsoft’s CVE entry describes it as a relative path traversal issue that could allow an unauthorized attacker to execute code over a network. TechCrunch reported that researchers said the flaw could be triggered through a malicious game invite path. Microsoft marks it as not publicly disclosed and not exploited in its official record. That distinction matters: this is not evidence of a mass gaming compromise. It is a reminder that games are software with network features, invites, lobbies, mods, and files — and they belong in the same update routine as browsers and office apps.
A separate concern landed right after the official patch release: Ars Technica reported that a researcher published proof-of-concept material for a new Windows elevation-of-privilege issue that Microsoft said it was investigating. Because that report involves a still-unpatched claim, readers should treat it as “watch closely,” not “panic now.” The safe version of the advice is boring on purpose: keep Windows updated, avoid creating unnecessary local accounts, do not run random scripts from social posts, and let your organization’s endpoint protections do their job. Publishing or repeating exploit mechanics would help the wrong people more than readers, so the useful public detail is the defensive one: exposed Windows machines and shared systems deserve extra monitoring until Microsoft completes its investigation.
The tradeoff this month is real. Huge patch bundles can create update fatigue, and they can occasionally break things. Krebs noted the ordinary caution that backing up a Windows system or data before applying operating-system updates is wise, especially when the patch count is large. That does not mean home users should sit on July’s fixes for weeks. It means do the sane sequence: save work, plug in the laptop, make sure important files are synced or backed up, run updates, restart, and check that the machine behaves normally.
For people at home, the checklist is short:
- Run Windows Update and install the July cumulative update for supported Windows 10 or Windows 11 systems. Restart when asked. A half-installed update is not a security plan.
- Update Microsoft Edge and Office/Microsoft 365 apps. Browsers and document apps are common targets because they handle links and files from strangers.
- If you play Age of Empires II: Definitive Edition, update it before joining multiplayer sessions or accepting game invites. Do not accept unexpected invites from accounts you do not recognize.
- Update Microsoft Copilot mobile apps if you use them on iOS or Android. Microsoft’s July records include CVE-2026-48561, a critical remote-code-execution vulnerability affecting Microsoft 365 Copilot for iOS and Android, marked not exploited and not publicly disclosed by Microsoft.
- If you use BitLocker, keep it on. Do not read a BitLocker bypass CVE as a reason to disable encryption. The right move is to patch and keep physical control of devices.
- Back up important files before big operating-system updates. Cloud sync is helpful, but it is not the same as a recovery plan if a file is deleted everywhere.
For small businesses and local organizations, the priorities are sharper:
- Patch internet-exposed SharePoint Server systems first. CISA’s catalog entries for CVE-2026-56164 and CVE-2026-58644 are the loudest signal in this batch.
- Check AD FS exposure and patch CVE-2026-56155 according to Microsoft guidance. Identity infrastructure is high-value because it sits between attackers and many other accounts.
- Inventory Microsoft servers that are out of sight: SharePoint, Exchange, SQL Server, legacy Windows Server, and developer tools used on build machines.
- Watch for suspicious authentication events, unexpected SharePoint behavior, and unusual privilege changes after patching. Patching closes a door; it does not prove nobody walked through it yesterday.
- Do not buy a security product just because a vendor says this is the biggest Patch Tuesday ever. Use the official CVE records and CISA’s exploited-vulnerability list to rank work.
This is where fear-mongering usually sneaks in. A large patch count does not automatically mean a large number of people are being hacked today. Severity ratings are not probability. “Critical” does not mean every user is one click from disaster, and “important” does not mean harmless. The confirmed facts are narrower and more useful: Microsoft shipped a very large July update; Microsoft says three listed vulnerabilities are exploited; CISA has put those three in its exploited-vulnerability catalog; at least one additional Windows issue was publicly described after the patch release and remains under Microsoft investigation; and consumer-facing products, including a Microsoft game and Copilot mobile apps, are part of the month’s security picture.
That is enough to act without spiraling. Update the systems you control. Respect the update windows for systems you do not control. Be skeptical of vendors trying to turn a serious patch month into a sales funnel. And if a device, account, or server handles sign-ins, documents, or money, treat July’s Microsoft updates as a priority, not background noise.
Sources
- Microsoft Security Update Guide: July 2026 Security Updates
- Microsoft CVE-2026-58644: Microsoft SharePoint Remote Code Execution Vulnerability
- CISA Known Exploited Vulnerabilities Catalog
- Krebs on Security: Microsoft Patches a Record 570 Security Flaws
- Ars Technica: Windows 0-day drops the same day Microsoft releases record number of patches
- TechCrunch: Microsoft patches bug in video game Age of Empires II
Shadowfetch is a technology publication. Explore Shadowfetch Linux — our own Linux build — and the Shadowfetch apps on the App Store.
Sources
- Microsoft Security Update Guide: July 2026 Security Updates
- Microsoft CVE-2026-58644: Microsoft SharePoint Remote Code Execution Vulnerability
- CISA Known Exploited Vulnerabilities Catalog
- Krebs on Security: Microsoft Patches a Record 570 Security Flaws
- Ars Technica: Windows 0-day drops the same day Microsoft releases record number of patches
- TechCrunch: Microsoft patches bug in video game Age of Empires II
The article cites Microsoft security records, CISA’s exploited-vulnerability catalog, and reporting from Krebs, Ars Technica, and TechCrunch.
Evidence types: official records, government catalog, security reporting, technology reporting
Links verified
See a problem in this story? Report an error · Corrections policy · Our methodology
The Daily Download
One morning email: the day’s biggest technology stories — AI, new devices, and the companies shaping them.
Related coverage
TechnologyChina’s new AI-governance bloc turns standards into a geopolitical contest
Kimmy Conner ·
TechnologyTelstra’s outage explanation is a reminder to make your phone less single-point-of-failure
Shannon Bulz ·
TechnologyEurope’s Google order turns AI search into a reader-choice test
Celine Moreau ·
