Overview
- Microsoft shipped a record set of security updates on June 9 that cover 206 vulnerabilities across Windows, Office, Exchange, Edge and cloud services.
- The update package fixed multiple critical remote code execution flaws in core Windows components, including the kernel, HTTP.sys and the DHCP client, which can allow remote attackers to run code with system privileges.
- An elevation‑of‑privilege bug in Microsoft Defender (CVE‑2026‑41091) that was seen in the wild was mitigated by Microsoft through Malware Protection Engine and Defender updates that deploy automatically.
- Security researcher Nightmare Eclipse published proof‑of‑concept code for a new Defender zero‑day called RoguePlanet that can yield system rights and currently has no patch, keeping short‑term risk elevated for patched systems.
- Administrators are advised to prioritize the critical RCE patches, verify their Malware Protection Engine version, apply Edge and Office fixes, and follow Microsoft’s component‑specific mitigations because mixed cloud, server and endpoint environments complicate rollout.