#software-patches

#software-patches

The Copilot app cannot be removed arbitrarily. Three cumulative conditions apply: Microsoft 365 Copilot must also be installed on the device, the Copilot app must not have been installed by the user themselves, and the app must not have been launched in the past 28 days.

Microsoft is rolling out changes to Windows Update, allowing users to indefinitely delay updates up to 35 days at a time, addressing common complaints about disruptions.

CrowdStrike published an advisory for CVE-2026-40050, a critical unauthenticated path traversal vulnerability affecting its LogScale product. The flaw can allow a remote attacker to read arbitrary files from the server filesystem.

A Common Vulnerability Exposure (CVE) that cannot reach the privilege plane is operationally ineffective - even at a CVSS Score of 10. This should be a core philosophy that is embedded into the fabric of software engineering.

I was always a tinkerer, I guess. I grew up in the age where computers were not ubiquitous or common. An experience as a kid was instrumental in how my career happened.

But are things getting worse? According to Register readers, and the company's own release health dashboard, the answer has to be yes. It isn't just you. The frequency of emergency out-of-band releases for the company's operating systems has been rapidly increasing to the point where, for every Patch Tuesday update, there'll likely be at least one out-of-band patch to fix whatever got broken.

This month, over half (55%) of all Patch Tuesday CVEs were privilege escalation bugs, and of those, six were rated exploitation more likely across Windows Graphics Component, Windows Accessibility Infrastructure, Windows Kernel, Windows SMB Server, and Winlogon. We know these bugs are typically used by threat actors as part of post-compromise activity, once they get onto systems through other means (social engineering, exploitation of another vulnerability).

Users just need to click a malicious link or shortcut file, and the attacker's code runs without any warning prompts. Microsoft's security teams, along with Google Threat Intelligence Group and an anonymous researcher, caught this one. "Bypassing Windows Shell and SmartScreen protections significantly increases the success rate of malware delivery and phishing campaigns," said Mike Walters, president and co-founder of Action1, in an email to TechRepublic. "Because Windows Shell is a core component used by nearly all users, the attack surface is broad and difficult to fully restrict without patching."

First in line is CVE-2025-40551 (CVSS score of 9.8), a critical flaw described as an untrusted data deserialization issue that could lead to remote code execution (RCE) without authentication. According to Horizon3.ai, which discovered and reported the defect, CVE-2025-40551 exists in AjaxProxy functionality, where requests destined for other functions are improperly sanitized, and a blocklist function can be bypassed by including allowed terms early in a JSON payload.