Article 76WS3 Microsoft warns customers AI will mean busier Patch Tuesdays

Microsoft warns customers AI will mean busier Patch Tuesdays

by
from www.theregister.com - Articles on (#76WS3)
Story ImageMicrosoft has warned customers to expect more security patches for the foreseeable future, thanks to AI. As AI helps defenders discover more issues, customers will see a higher volume of security updates included in each security release," the company's executive veep for Windows + Devices, Pavan Davuluri, wrote in a Thursday post that describes how Microsoft is changing its internal processes to spot software vulnerabilities using AI. His post later points out that Microsoft offers many fine tools to automate patching, and his view that customers who use them will be able to keep pace with increased volumes of patches. Davuluri's post argues that investment in automated patching tools is justifiable and sensible because Microsoft's use of AI to deliver more patches improves overall security. By applying AI across security analysis, we can identify patterns faster, prioritize risk and scale vulnerability discovery across the Windows codebase," he wrote. Sometimes that might mean Microsoft products contain fewer vulnerabilities. We continue to evolve our internal systems and practices so that vulnerability discovery is not treated as a separate activity, but as part of how we build, review and improve Windows before new features or updates are released," he wrote. The post explains that Microsoft uses a tool called the multi-model agentic scanning harness (MDASH), which apparently utilizes multiple models including leading third-party AI vulnerability discovery models." To run MDASH at Windows scale, Windows set up dedicated cloud infrastructure for scanning and proving," Davuluri wrote. A scanner pipeline scans critical binaries and validates candidates using multi-model debate across multiple model families. Confirmed candidates then flow to a separate, Windows-specific prove pipeline that helps eliminate remaining false positives, so only the highest-confidence findings reach the engineering team." The executive veep said that process handle a larger volume of potential vulnerabilities and shortens the review window for new ones, shrinking the attack window for zero-day exploits." Microsoft is not alone in using AI to deliver more patches: Oracle recently announced AI bug-finders mean it will add a monthly critical patch dump to its current quarterly security update service. It's hard to argue against vendors finding and fixing more flaws, and perhaps over time AI will mean their products contain fewer vulnerabilities that need a fix. However, The Register is yet to hear of AI being used to create more or longer change windows that admins can use to implement all these extra patches. VMware has responded to that harsh reality with a new offering it calls "Express Patches" that ship indepdentently of and more frequently that its product updates and can be applied in any order, rather than requiring an upgrade before a patch will work. (R)
External Content
Source RSS or Atom Feed
Feed Location http://www.theregister.co.uk/headlines.atom
Feed Title www.theregister.com - Articles
Feed Link https://www.theregister.com/
Reply 0 comments