Rendered at 19:35:19 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
lionkor 11 hours ago [-]
If I find a bug in very important MS products, I usually do report them using their shitty feedback app. Not once has any of that yielded anything.
Maybe a way to find tons of high impact bugs would be to let MS developers access those bug reports?
7bit 9 hours ago [-]
There's more direct channels to report security vulnerabilities - which this about.
transcriptase 6 hours ago [-]
Perhaps the feedback boxes they put in every app should actually be read. That’s a them problem.
voakbasda 5 hours ago [-]
Those boxes are not there to generate feedback. They are there to placate the user by implying that their voice will be heard.
wafflemaker 5 hours ago [-]
I reported 3 errors/feature requests in Oura Ring app. After going through the reporting process I felt much less irritated at the bugs and smiled to myself thinking that must have been the purpose of the reports.
To my astonishment, 3-4 months later they fixed the errors and rolled out the feature I asked about.
WTH, people read those reports?
I know people do, I often get in touch with support for various services, knowing that in the sea of people not giving feedback, your comments mean a lot. But up until recently both the Oura App and their support was very mediocre.
Where's my enshittification?
charonn0 19 hours ago [-]
It seems like bug hunting might be the one area where AI is actually making the world a better place.
kmfrk 7 hours ago [-]
There's also the weird scenario of a reporting bias where instead of admitting to a bunch of vulnerabilities, you can frame it as "look at how useful AI is".
We even have companies implementing solutions for ffmpeg vulnerabilities themselves instead of just handing them the vulns to fix themselves.
It's very possible the tide reverses if it's not in people's interest to advocate for AI anymore, so we better not get too used to it just in case.
It's nice that we currently have an alignment of AI advocacy and infosec, though. Maybe Microsoft can even point their AI to their questionable UX and UI practices next.
ptdorf 9 hours ago [-]
Depends. If the AI fixes don't introduce new bugs or unnecessary complexity (where bugs like to hide), then yes.
ashleyn 18 hours ago [-]
How many were introduced by misuse of AI coding/vibe coding though?
miffy900 17 hours ago [-]
highly unlikely for many of them. SharePoint, bitlocker, Active directory, hyper-v, rdp, DHCP and MSMQ are all software/technologies that have decades of history and long pre-dated LLMs. seriously, do people not realise it was entirely possible to write insecure or bad code before LLMs?
warshinder 12 hours ago [-]
It’s like people don’t remember the whole outsourcing trend and all the awful code that came from that.
datakan 10 hours ago [-]
Don't forget the damned interns!
mr_mitm 10 hours ago [-]
Everyone but me!
christophilus 8 hours ago [-]
Hey, I wrote slop at Microsoft way before it was cool.
matwood 12 hours ago [-]
> seriously, do people not realise it was entirely possible to write insecure or bad code before LLMs?
Some of these threads make me think every line of code written pre-LLMs was apparently perfect in all ways. Feels like romanticizing the past.
shakna 16 hours ago [-]
Sure, that's true.
It is also true that Copilot is currently in use developing Bitlocker and Sharepoint. So I wouldn't be confident saying it was one or the other.
dpoloncsak 1 hours ago [-]
It's funny because SharePoint and AD are so god-forsakenly awful you would think they're vibe coded if you didn't know any better
pjmlp 14 hours ago [-]
Especially if they made heavy use of offshoring, which I would bet they did.
Leherenn 12 hours ago [-]
For what it's worth, at my workplace AI has uncovered quite a few issues that have been there for a decade or two and survived countless rounds of careful reviews, external security analysis, pen testing and so forth for all those years.
onion2k 11 hours ago [-]
Vibe-coded apps probably have loads, but mostly because they're using less capable models than the people who're doing the bug-hunting. Once vibe-coders are using models like Mythos too you should expect the number of bugs in vibe-coded apps to collapse quickly, because the LLM will write the bugs but will also fix them (assuming the system prompt tells it to.)
Foobar8568 9 hours ago [-]
For some reasons, models are blind to their own output...
tyre 7 hours ago [-]
Not my experience with my homie Claudius.
The code review agent usually has feedback to be resolved before committing, which includes bugs and unhandled edge cases. Sometimes the primary context is understandably embarrassed.
Sometimes it truly be your own people.
coldtea 8 hours ago [-]
One reason seems obvious/intuitive: because their own output matches their own biases, that is, is a direct result of their model walks.
tyre 6 hours ago [-]
I think this could be true if you use a single Claude context, since it has its own reasoning in the context.
But a separate code review agent does much better, in my experience.
damian260 12 hours ago [-]
The distinction I'd draw is between AI-assisted and AI-generated. Using AI to write isolated functions you understand and review is different from prompting your way to a complete system you can't debug. The second case is where you get surprising failures at runtime that no amount of linting catches.
ColdStream 13 hours ago [-]
It is hard to tell, the code may genuinely be decent quality or not.
That is the issue with vibe coding. Increased output but reduced understanding. So if something does go wrong, one has to hope that there is still enough understanding to address it quickly.
high_na_euv 11 hours ago [-]
3 or 4
Razengan 10 hours ago [-]
Is it worse than what humans were doing on their own anyway?
prmoustache 6 hours ago [-]
Well yes if they expect to find and correct more bugs every update which is pretty much what they are saying.
Razengan 2 hours ago [-]
If AI ever manages to make something half as atrocious as Windows XP that would probably be the first proof of AGI.
wccrawford 8 hours ago [-]
No, just more prolific.
DANmode 18 hours ago [-]
How many were known, and put on the roadmap because war got hot?
iJohnDoe 18 hours ago [-]
[flagged]
stackghost 18 hours ago [-]
At Microslop? Evidently, lots.
sublimefire 10 hours ago [-]
It was like a bunch of mythos scans through and through which then generated the reports for everyone to implement, not sure if in all orgs though. Mythos was great as it came from the top, i.e. a clear incentive. I think bug reporting otherwise does not reach the engineers unless an incident is raised by the customer care against a responsible team.
prmoustache 6 hours ago [-]
I am curious, they say we should expect a trend of more security patches every update.
It this is true and Microsoft devs are using agents it means that AI is doing a shitty job and is introducing more bugs/vulns per month than it fixes them. Otherwise you would have had a lot of bugs/vulns fixed in the first 2 security updates then a steady and significant reduction every month because any new code would have been scanned and fixed before release.
amelius 10 hours ago [-]
Bad guys can use AI too. Not sure about the net result.
beebmam 15 hours ago [-]
99.9% of people complaining about AI making the world a worse place would be fully happy with AI if they shared in the economic benefits of automation.
azinman2 14 hours ago [-]
Not if it ends up deskilling society and taking away what brings us meaning in life.
ivell 13 hours ago [-]
I don't see why AI would deskill what you love to do. People still do embroidery even though mass manufacturing exists. If you love something you would continue doing it irrespective of automation.
wood_spirit 13 hours ago [-]
For a lot of people it’s not the job that is rewarding it the role having a job gives them in life and home life. Financially contributing to the household through earning it through work is a meaningful and rewarding thing that can define the near total of how good you feel about yourself thing even if you don’t like the job?
voidUpdate 12 hours ago [-]
But do people make a living doing embroidery by hand? Or is it more of a hobby?
12 hours ago [-]
close04 11 hours ago [-]
For better or worse this round of "automation" will hit harder than most others because it comes for what makes you you. Your brain, not your body. The industrial revolution replaced your body, this one could in theory replace you entirely. And it isn't coming for some job, it comes for most. It's not just a hobby but being able to do the job. You are replacing 10000 types of jobs with 1 type: AI prompter. We'll probably have an AI just to help ask for the right thing.
You have transferred all the skills and knowledge to the AI. When the skills are gone, who's going to teach you to do any non-trivial job? What will give you any sense of accomplishment when all you do is ask the AI but have no capability yourself?
Even if you have a guaranteed income, because "your AI" is getting paid for the work, where will you be with close to 0 contribution to anything? Maybe we're overreacting and this will never be an issue. I know we shouldn't take cues from fiction to predict reality but it's hard not to picture a world with a combination of Idiocracy and Wall-e (or the famous "Paradise" Matrix) where we decay because the change is so fundamental that we aren't ready to adapt.
Foobar8568 9 hours ago [-]
Yeah this round replaces both body and knowledge.
Basically what is left is internal politics and cross company dynamics until we get to the point where a company is self autonomous.
ares623 13 hours ago [-]
Yes. I love eating pieces of string. I'm partial to wool myself, really filling.
I suppose you're a cake enjoyer, miss Marie Antoinette?
13 hours ago [-]
14 hours ago [-]
7 hours ago [-]
pjc50 10 hours ago [-]
The bonuses SK Hynix staff are getting might vindicate that point of view. Of course, that's from AI investment, not revenue itself. They are the extremely successful shovel manufacturers, who for once have managed to leverage their power collectively as employees to benefit from a one-off like this.
Perhaps it has always been the case that people would be happy if they shared the benefits, but that is not how the world run by billionaires works.
coldtea 8 hours ago [-]
"People complaining slavery makes the world a worse place would be fully happy if they were slave owners"
Probably, but just proves people can ignore bad things when they benefit them.
Not what it pretends to prove, that the thing isn't bad.
blitzar 11 hours ago [-]
for your first couple of B you stop complaining about anything
parineum 14 hours ago [-]
I've been benefitting from automation my entire life. I don't see why anything would change when that automation is driven by language models.
ReactiveJelly 16 hours ago [-]
They should patch that Global Device ID thing
:^)
fuckinpuppers 16 hours ago [-]
This is great. Now ask Mythos to make windows suck less and let it go crazy.
stubish 10 hours ago [-]
It would certainly make sense to sick it on all those crash reports and complaints. All the obscure 0x error codes that end up with you being punted to the forums for 'community support' and being told to reinstall everything.
ColdStream 13 hours ago [-]
Deletes Windows 11
Installs Windows 7 with new patches
blitzar 11 hours ago [-]
Installs Windows 3.11 with no new patches
throwaway27448 12 hours ago [-]
What would be the point of any of this if the registry is still there? It'd just a particularly shit version of linux window management that happens to run games well
Cthulhu_ 11 hours ago [-]
The registry was never an issue tbh, it's just a database that some companies decided to fearmonger about to sell you "registry cleaners".
But if I'm wrong, please do point us in the direction of known issues with the registry.
RiverCrochet 35 minutes ago [-]
Calling the registry a database makes it seem better engineered than it really is.
Running queries on the registry like SQLite? Nope. The Windows registry internally from what I've been able to read is a weird reimplementation of a file system (a trivial database I guess but a real database lets you index on things other than name). It's compact but as far as I know completely unofficially documented.
(Most data structures with unique names or ids for each data item could trivially be considered databases, but generally if you say something is a database, you typically expect to create queries more sophisticated than "select data where name is X" and also expect to be able to create or use separate indexes to support those queries.)
The reputation of brittleness and danger of the registry is because Windows stores a lot of configuration parameters there that the kernel uses as boot, but because it's not a plain text file, comments explaining what the settings do can't be right there in the same place you're editing.
tonyedgecombe 10 hours ago [-]
It was easy to corrupt in the early days and performance was poor as it grew in size.
That was a long time ago though, it’s pretty solid now and has some benefits over storing settings in a bunch of text files such as more granular permissions.
throwaway27448 9 hours ago [-]
The registry absolutely is an issue—it's everything bad people make the command line out to be except ten times worse because they haven't bothered to fix it in forty years. You need to cooy and paste an incomprehensible string off the internet just to set the functionality of the caps lock key or rewire a file extension. Just straight up dogshit softwareif you weren't raised in the cult
1vuio0pswjnm7 6 hours ago [-]
The attack surface of Windows is infinite
As one door closes, another opens
"Features"
"Fixes"
Job security
Security holes
The threat model is Microsoft
JSTucker 13 hours ago [-]
If you want an easy way to view these I made https://wofa.dev to keep track of windows updates and security patches in a single place
ozim 9 hours ago [-]
Gets me wondering if it is real or they just got a backlog quick fixes dropped so it looks like AI bug hunting really works to prop up their AI bullshit narrative.
I wonder how many bugs will be introduced with these fixes...
ColdStream 13 hours ago [-]
Fix one and add two.
There used to be a brilliant weather app here in Oz back in the early days of iOS. I always loved the update notes the author provided. One was "Fixed one grammatical error and introduced another one, can you find it?"
Cthulhu_ 11 hours ago [-]
It depends on how good their testing practices and code review / auditing are. I want to believe they are some of the best in the industry, but that's making assumptions.
But jumping to assumptions that fixes introduce bugs is a bit rash and assumes incompetence / unprofessionality / unmonitored AI usage / kneejerk bugfix processes.
Chu4eeno 10 hours ago [-]
Microsoft (in)famously fired all their QA people like a decade ago.
Foobar8568 9 hours ago [-]
Most Saas delegated QA to their clients...
tonyedgecombe 10 hours ago [-]
I remember some research from IBM that showed that every two bug fixes introduced another bug. Effectively your queue for bugs is twice as long as you think.
hulitu 14 hours ago [-]
They don't introduce bugs. They introduce feature experiences.
windexh8er 8 hours ago [-]
That feature experience often crops up as a choose-your-own-adventure game! Looks like their users are loving it [0].
How many are chained, and how many patches are defense-in-depth after discovering chained paths to that flaw?
lousken 19 hours ago [-]
It would be nice if microsoft had windows update for .net, visual c++, office, windows, edge ... just all their software in one updater, but that would be too easy...
netsharc 19 hours ago [-]
Isn't that... Windows Update? At least last time I looked it would update .net runtimes, Office, what else? OK, Visual Studio has its own update mechanism. Edge is part of the OS, isn't it?
miffy900 17 hours ago [-]
it's still an opt-in setting though. Windows and OS-components like drivers and Edge do get auto updated yes, but to enable Microsoft Update, you still need to turn on a setting in the Settings app.
even setting up a new PC/laptop with windows, this is off by default.
lozenge 8 hours ago [-]
That's likely because of antitrust. If they let their software hook into Windows Update, then they would need to let everybody do the same.
lousken 5 hours ago [-]
What antitrust? It is a security feature and for regular apps windows has ms store that can do auto updating as well.
lousken 11 hours ago [-]
e.g. visual c++ isnt included tho; Office 365 same thing
bux93 9 hours ago [-]
And teams. And new outlook. And powertoys. Onedrive. SQL Server. The Microsoft store. Winget. I'm also not confident Windows Update actually does update Office, which also retains its own update mechanism.
ihsw 18 hours ago [-]
[dead]
jayd16 16 hours ago [-]
It did work that way for .NET versions but the patches and upgrades caused too many bugs and incompatibility. Folks would install old .net versions anyway.
The pattern moved to packaging in all your dependencies.
Winget/Microsoft Store etc could auto-update your apps even with packaged .NET DLLs, though.
leumon 11 hours ago [-]
It's (somewhat) possible with winget already.
keyringlight 10 hours ago [-]
IIRC winget is another mechanism with a CLI front-end that resembles a package manager. What it does is either hook into the windows store (another channel) for packages, or points to an installer which likely runs silently in the background, for example 'winget show adobe.acrobat.reader.64-bit' or 'microsoft.vcredist.2015+.x64'
Can't believe that at one point Windows could do updates through a browser interface.
I mean we've gone full circle and are now deploying browser interfaces as full blown applications to get around the bit where you give a browser system access, but still.
naturalmovement 19 hours ago [-]
Sounds like a lot but compare it to Edge also being patched for 428 Chromium CVEs this month.
If 20 years ago you told me a single piece of software had 428 vulnerabilities I wouldn't have believed it.
If Chromium has that many security bugs, perhaps the move fast and break things approach of spraying diarrhea masquerading as code into a keyboard — in a rush to add new features no one asked for — needs to be reexamined.
sellmesoap 15 hours ago [-]
20 years ago a malformed packet to winsock would crash the computer, 5 years later installing win2k on my buddies computer (no router/firewall) a few minutes after we finished the install "windows will reboot in nn seconds" whelp time to re-install without a network connection... we've added a lot of layers since win2k, mostly in the name of ease of development, and I don't feel like we've met that goal but we sure found a way to get a million monkies behind a million typwriters, and now we're aiming to replace the monkies with simulated monkies. Time to smell my fingers and fall out of the tree ;-D
Cthulhu_ 11 hours ago [-]
Chromium is a three-decades-long project (origins coming from Webkit, which comes from KHTML, which was 1998) - I can assure you that does not meet the "move fast and break things" phrase you're trying to smear it with.
tokioyoyo 19 hours ago [-]
20 years ago software wasn't as much battle tested as today, had way less feature set, was less connected to the internet, and etc. 428 CVEs looks small, assuming not all have CVSS 9.8 or something.
lousken 19 hours ago [-]
It was more tested as real testers were testing it. Nowadays, AI just checks the code.
pixl97 18 hours ago [-]
I guess we should find some of this old source code and test it for exploits to see what is true.
Is that true or an assumption? I don't think Chrome and co would discard their decades worth of automated testing practices in favor of AI.
Actually I don't need to think / assume, it's an open source project.
lousken 5 hours ago [-]
Chrome? That is a younger project and it was much less automated back in the day.
Cthulhu_ 11 hours ago [-]
20 years ago was 2006, I can assure you we were very consciously aware of things being permanently connected to the internet by then.
That said, sure, it had a fraction of the features back then, and only a fraction of the world population was connected to the internet.
HeatrayEnjoyer 13 minutes ago [-]
>That said, sure, it had a fraction of the features back then, and only a fraction of the world population was connected to the internet.
And the world was better for it. Connectivity and internet are not inherent goods. They can be used for good purposes but it is hard to argue that has been the mean.
hilariously 12 hours ago [-]
Chromium is probably 30 million+ lines of code, and we generally see that as things get more complex its even easier to accidentally write code which can be exploited.
If it has 1 vulnerability in every 10k loc of code we'd be talking about 3,000 vulns (with no churn) - we used to care about defect density, and most software wouldn't go more than a few hundred lines without SOME bug, whether that's a "vulnerability" is often a layered question.
georgemcbay 19 hours ago [-]
> If 20 years ago you told me a single piece of software had 428 vulnerabilities I wouldn't have believed it.
For something as complex as an operating system or a web browser, even one from 20 years ago (say, Windows XP or IE/Firefox) I wouldn't have believed there were 428 vulnerabilities either, I would have assumed there were much more than that.
encom 15 hours ago [-]
>features no one asked for
Google asked for them. That's all that matters.
dylan604 19 hours ago [-]
Even if it had the Microsoft logo attached? Windows was always known to not be the most secure of products. I can't imagine anything else from the same company would be any better
19 hours ago [-]
dhx 14 hours ago [-]
Title is not correct. Microsoft didn't patch a lot of this, they're reporting patches for dependencies that other people patched and Microsoft are inheriting.
For example, Mariner (now branded Azure Linux) is a Microsoft-supported Linux distribution. So in this list of 570 vulnerabilities, Microsoft have reported 100 vulnerabilities inherited from all sorts of open source software projects included in their Azure Linux distribution. The OpenSSH vulnerabilities are described in better detail at https://www.openssh.org/releasenotes.html where it implies 2 vulnerabilities were detected with Swival Security Scanner (using LLMs) and another 6 by other researchers/companies (using undisclosed methods).
As an example of one of the OpenSSH vulnerabilites CVE-2026-59996 which is attributed to Swival Security Scanner, Swival have published the output of their automated vulnerability detection report at https://github.com/Swival/security-audits/blob/main/openssh/...
Releases without cve patches used to be quite common, max ive seen before were 3
shevy-java 12 hours ago [-]
It is time to abandon Microsoft.
alex_duf 10 hours ago [-]
While I do think it's wise for people to start looking at alternatives, I don't think this specific news should sway one way or another.
Windows (like Linux or macos) contains an enormous amount of code, and with large code-bases you're certain to have security issues.
Finding these security issues and fixing them seems like a good idea, no matter how much you love or hate Windows.
HeatrayEnjoyer 11 minutes ago [-]
Code can exist without vulnerabilities. Verifiable proof exists. It is hard, but it is possible.
tonyedgecombe 10 hours ago [-]
Microsoft has its place but I’m not sure that includes personal computers anymore.
gerdesj 20 hours ago [-]
"Microsoft attributed the burgeoning patch counts to vulnerability discoveries aided by artificial intelligence."
If only real intelligence found the fucking things instead.
As ye sew, so shall ye reap!
Cthulhu_ 11 hours ago [-]
By all means, show us your records of finding vulnerabilities that thousands of engineers and security researchers missed over decades.
Not sure what the biblical quote is about either.
d0100 19 hours ago [-]
An employee just got phished by adding a number to a legitimate deviceAdd login route that bypasses 2FA and adds a device with full access to office and mail
Probably working as intended...
shakna 16 hours ago [-]
Sounds like one of ADOs recent security misconfiguration vulnerability announcements. The customer is blamed, for not quite hardening everything the right way, when ADO config is... A sizeable task.
xorl 19 hours ago [-]
I always click NO to these, that's full human error.
edit: The underlying issue is that they send a 2FA before asking for a password at all.
Maybe a way to find tons of high impact bugs would be to let MS developers access those bug reports?
To my astonishment, 3-4 months later they fixed the errors and rolled out the feature I asked about.
WTH, people read those reports?
I know people do, I often get in touch with support for various services, knowing that in the sea of people not giving feedback, your comments mean a lot. But up until recently both the Oura App and their support was very mediocre.
Where's my enshittification?
We even have companies implementing solutions for ffmpeg vulnerabilities themselves instead of just handing them the vulns to fix themselves.
It's very possible the tide reverses if it's not in people's interest to advocate for AI anymore, so we better not get too used to it just in case.
It's nice that we currently have an alignment of AI advocacy and infosec, though. Maybe Microsoft can even point their AI to their questionable UX and UI practices next.
Some of these threads make me think every line of code written pre-LLMs was apparently perfect in all ways. Feels like romanticizing the past.
It is also true that Copilot is currently in use developing Bitlocker and Sharepoint. So I wouldn't be confident saying it was one or the other.
The code review agent usually has feedback to be resolved before committing, which includes bugs and unhandled edge cases. Sometimes the primary context is understandably embarrassed.
Sometimes it truly be your own people.
But a separate code review agent does much better, in my experience.
That is the issue with vibe coding. Increased output but reduced understanding. So if something does go wrong, one has to hope that there is still enough understanding to address it quickly.
It this is true and Microsoft devs are using agents it means that AI is doing a shitty job and is introducing more bugs/vulns per month than it fixes them. Otherwise you would have had a lot of bugs/vulns fixed in the first 2 security updates then a steady and significant reduction every month because any new code would have been scanned and fixed before release.
You have transferred all the skills and knowledge to the AI. When the skills are gone, who's going to teach you to do any non-trivial job? What will give you any sense of accomplishment when all you do is ask the AI but have no capability yourself?
Even if you have a guaranteed income, because "your AI" is getting paid for the work, where will you be with close to 0 contribution to anything? Maybe we're overreacting and this will never be an issue. I know we shouldn't take cues from fiction to predict reality but it's hard not to picture a world with a combination of Idiocracy and Wall-e (or the famous "Paradise" Matrix) where we decay because the change is so fundamental that we aren't ready to adapt.
Basically what is left is internal politics and cross company dynamics until we get to the point where a company is self autonomous.
I suppose you're a cake enjoyer, miss Marie Antoinette?
Perhaps it has always been the case that people would be happy if they shared the benefits, but that is not how the world run by billionaires works.
Probably, but just proves people can ignore bad things when they benefit them.
Not what it pretends to prove, that the thing isn't bad.
:^)
Installs Windows 7 with new patches
But if I'm wrong, please do point us in the direction of known issues with the registry.
Running queries on the registry like SQLite? Nope. The Windows registry internally from what I've been able to read is a weird reimplementation of a file system (a trivial database I guess but a real database lets you index on things other than name). It's compact but as far as I know completely unofficially documented.
(Most data structures with unique names or ids for each data item could trivially be considered databases, but generally if you say something is a database, you typically expect to create queries more sophisticated than "select data where name is X" and also expect to be able to create or use separate indexes to support those queries.)
The reputation of brittleness and danger of the registry is because Windows stores a lot of configuration parameters there that the kernel uses as boot, but because it's not a plain text file, comments explaining what the settings do can't be right there in the same place you're editing.
That was a long time ago though, it’s pretty solid now and has some benefits over storing settings in a bunch of text files such as more granular permissions.
As one door closes, another opens
"Features"
"Fixes"
Job security
Security holes
The threat model is Microsoft
There used to be a brilliant weather app here in Oz back in the early days of iOS. I always loved the update notes the author provided. One was "Fixed one grammatical error and introduced another one, can you find it?"
But jumping to assumptions that fixes introduce bugs is a bit rash and assumes incompetence / unprofessionality / unmonitored AI usage / kneejerk bugfix processes.
[0] https://www.neowin.net/news/it-admins-feel-overwhelmingly-si...
The pattern moved to packaging in all your dependencies.
Winget/Microsoft Store etc could auto-update your apps even with packaged .NET DLLs, though.
I mean we've gone full circle and are now deploying browser interfaces as full blown applications to get around the bit where you give a browser system access, but still.
If 20 years ago you told me a single piece of software had 428 vulnerabilities I wouldn't have believed it.
If Chromium has that many security bugs, perhaps the move fast and break things approach of spraying diarrhea masquerading as code into a keyboard — in a rush to add new features no one asked for — needs to be reexamined.
Actually I don't need to think / assume, it's an open source project.
That said, sure, it had a fraction of the features back then, and only a fraction of the world population was connected to the internet.
And the world was better for it. Connectivity and internet are not inherent goods. They can be used for good purposes but it is hard to argue that has been the mean.
If it has 1 vulnerability in every 10k loc of code we'd be talking about 3,000 vulns (with no churn) - we used to care about defect density, and most software wouldn't go more than a few hundred lines without SOME bug, whether that's a "vulnerability" is often a layered question.
For something as complex as an operating system or a web browser, even one from 20 years ago (say, Windows XP or IE/Firefox) I wouldn't have believed there were 428 vulnerabilities either, I would have assumed there were much more than that.
Google asked for them. That's all that matters.
For example, Mariner (now branded Azure Linux) is a Microsoft-supported Linux distribution. So in this list of 570 vulnerabilities, Microsoft have reported 100 vulnerabilities inherited from all sorts of open source software projects included in their Azure Linux distribution. The OpenSSH vulnerabilities are described in better detail at https://www.openssh.org/releasenotes.html where it implies 2 vulnerabilities were detected with Swival Security Scanner (using LLMs) and another 6 by other researchers/companies (using undisclosed methods).
As an example of one of the OpenSSH vulnerabilites CVE-2026-59996 which is attributed to Swival Security Scanner, Swival have published the output of their automated vulnerability detection report at https://github.com/Swival/security-audits/blob/main/openssh/...
https://devblogs.microsoft.com/dotnet/dotnet-and-dotnet-fram...
Releases without cve patches used to be quite common, max ive seen before were 3
Windows (like Linux or macos) contains an enormous amount of code, and with large code-bases you're certain to have security issues.
Finding these security issues and fixing them seems like a good idea, no matter how much you love or hate Windows.
If only real intelligence found the fucking things instead.
As ye sew, so shall ye reap!
Not sure what the biblical quote is about either.
Probably working as intended...