Microsoft has joined the ranks of companies using artificial intelligence models to look for vulnerabilities in large codebases, and said its MDASH scanner found four critical remote code execution (RCE) bugs in Windows.
These were in the TCP/IP networking stack in the Windows kernel, the Internet Key Exchange (IKE) version 2 and Netlogon services, as well as the domain name service (DNS) application programming interface (API) library, Microsoft said.
MDASH found a further 12 vulnerabilities in the above stacks, using the AI tool built by Microsoft’s Autonomous Code Security Team, Taesoo Kim, the company’s vice president of agentic security said in a technical report on the effort.
The Autonomous Code Security Team is made up of several members from Team Atlanta from Georgia Tech, which won a US$20 million ($27.6 million) prize in the United States Defence Advance Research Projects Agency’s (DARPA) AI Cyber Challenge competition.
Kim leads Team Atlanta, and is a professor at Georgia Tech but is on leave with Microsoft currently.
Microsoft said 10 of the vulnerabilities are kernel mode, and six user mode, with the majority reachable from a network position, with no credentials required. They were patched in April and May.
In the CyberGym AI agents benchmark, which comprises 1507 real-world vulnerability reproduction tasks from 188 projects in Google’s OSS-Fuzz program, MDASH scored 88.45 percent, putting it in the top spot of the leaderboard currently.
A separate test using the non-released StorageDrive driver used internally by Microsoft for security researcher interviews, and not found in large language model (LLM) data, saw MDASH spot all 21 deliberately injected vulnerabilities with zero false positives.
Microsoft did not publish the false positive rates for MDASH, or say how many candidate findings were generated before the 16 CVEs made it to the patching stage.
The abbreviation for the AI tool stands for multi-model agentic scanning harness, and it uses over 100 specialised AI agents “across an ensemble of frontier and distilled models to discover, debate and prove exploitable bugs end-to-end,” Microsoft said.
MDASH is currently in a private preview with a small number of customers, and with Microsoft’s own security engineering teams.
Other security teams can sign up to join the preview as well.
