Microsoft just fixed a record 570+ security flaws, two of them already used by attackers. Here's the short list that matters for a small business.
Yesterday, Microsoft released fixes for more than 570 security flaws in a single day — the biggest Patch Tuesday in the company's history, per BleepingComputer. Last month's batch set a record at just over 200. This one nearly tripled it.
Big numbers make headlines. What a small business needs is smaller: which of those fixes actually affect you, and what to do this week. That list is short.
Why the number exploded
Not because the world got three times more dangerous overnight. Microsoft announced last week that it has started using AI to hunt for bugs across Windows before attackers find them — and warned that monthly fix counts would jump as a result. More flaws found by the vendor and fixed quietly in a routine update is good news wearing an alarming headline. Expect these big months to keep coming.
(You'll see different totals in the news — SecurityWeek counts 622 using Microsoft's full release notes. The difference is counting method, not danger.)
The three fixes worth your attention
1. Two flaws attackers are already using — but only on certain servers. The two actively exploited bugs this month live in Active Directory Federation Services (CVE-2026-56155) and SharePoint Server (CVE-2026-56164) — the second one exploitable over the network with no password. Plain English: both are on-premises server products — software a business runs on a server it owns, not the SharePoint and sign-in that come with a Microsoft 365 subscription. Microsoft patches the cloud versions for you; there's nothing for you to install there. Most small businesses run neither. But if an IT company set up your systems years ago, you might have one humming in a closet without knowing it. That's the question to ask this week.
2. A BitLocker bypass — the stolen-laptop scenario. BitLocker is the Windows feature that encrypts a computer's disk so a thief who steals the machine can't read the files. One of this month's fixes (CVE-2026-50661) closes a flaw, publicly known before yesterday, that gave an attacker with physical access a way around that protection. Installing the July update closes it. It matters most for laptops that travel.
3. Remote Desktop. July's batch includes several fixes for Remote Desktop — the feature that lets someone control a Windows machine over the network — among them a critical one (CVE-2026-50474) in the app your PC uses to connect, and a remote-code-execution bug in the underlying protocol (CVE-2026-56190) that SecurityWeek flags as deserving attention. All of them install with the normal July update. If your business still has Remote Desktop reachable from the internet (common in older work-from-home setups), update those machines first — and ask whether they need to face the internet at all.
Your 15-minute plan
- Check Windows Update and restart. Settings → Windows Update on each PC, or confirm your IT provider pushes updates automatically. An update sitting at "pending restart" hasn't protected anyone yet.
- Ask your IT provider two questions, by name: "Do we run SharePoint Server or Active Directory Federation Services on any server of our own — and if so, are July's fixes installed?" and "Is Remote Desktop reachable from the internet anywhere?" A good provider answers both same-day.
- Restart your browser. A separate batch of 468 fixes for Edge and Chrome ships through the browser itself and only takes effect after a restart. Close it fully once today.
- One note if you still have Windows 10 machines: they only received yesterday's fixes if they're enrolled in Microsoft's paid Extended Security Updates program. If you're not sure, add that to the list for your IT provider.
The habit beats the headline
Record months like this one are the new normal, and the businesses that stay safe won't be the ones reading every bulletin — they'll be the ones with a boring, repeatable update habit: second Tuesday of the month, 15-minute check a few days later. If you want an outside opinion on where you stand, Tenant Strike's read-only scan grades your Microsoft 365 setup A–F and shows the exact fix for anything it finds — nothing to install, under five minutes.
Sources: BleepingComputer, SecurityWeek
AI-researched from public sources, human-reviewed on July 19, 2026. We label AI-assisted writing — see our trust page.
See your own risk
Want this for your own Microsoft cloud?
Tenant Strike runs 100+ read-only checks across Microsoft 365 and Azure and hands you a plain-English fix for every gap. Start a 7-day Pro trial — no credit card.