Microsoft's tiny May Patch Tuesday update next week will include only two bulletins to fix security vulnerabilities in Windows Server and Office applications.
Microsoft will be giving IT administrators a break with only
two security bulletins in May's Patch Tuesday. The company had released 17
bulletins in April.
Both scheduled bulletins in May's
release will address security vulnerabilities in Windows and
the Office suite, Microsoft said in its advance notice on May 5. One bulletin
is categorized as "critical" and the other is "important." In contrast, there
were nine "critical" bulletins in April
Microsoft tends to follow months with heavy update loads
with light releases, according to Jason Miller, a data team manager with
Despite the small release, system administrators should
prioritize the updates. "Both bulletins are for remote code-execution
vulnerabilities, so IT administrators should track them closely and address
them quickly," said Wolfgang Kandek, CTO at vulnerability scanning services
The "critical" bulletin will affect all supported versions
of Windows Server, including 2003, 2008 and 2008 R2. The update applies to both
Windows Server 2008 and 2008 R2 regardless of whether or not the operating
system was installed with the Server Core option, the company said. The
security hole exposes the server to a remote code execution attack.
The desktop versions, Windows XP, Vista and 7 will not need
the update. Microsoft did not disclose at this time any details regarding the
security flaw being fixed.
The "important" bulletin addresses a security flaw that, if
left unpatched, would allow attackers to remotely execute arbitrary code on the
system. The vulnerability affects Microsoft Office XP and 2003 on Windows and
Office 2004 and 2008 for Mac OS X. PowerPoint XP, 2003 and 2007 will be patched
as well as core Office files and the Office Compatibility Pack.
The latest version, Office 2010, is not affected by the
flaw, according to Microsoft.
Microsoft separately announced it will be modifying its Exploitability
, a rating system that indicate the likelihood of a security flaw
being used in an attack within the next 30 days, Maarten Van Horenbeeck, senior
security program manager, wrote on TechNet. Starting with next week's Patch
Tuesday release, the company will provide two index ratings for each bug, one for
new platforms and another for older versions, Van Horenbeeck said.
Customers will be able to prioritize the security updates that
match the systems they own. With two ratings, administrators managing newer
machines can take into consideration new security features built-in to Windows
7 SP1 and Office 2010 when prioritizing bulletins,
Windows 7 has several new security technologies such as
Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP)
baked into the operating system to help prevent vulnerabilities from being
These measures are not available by default on Windows XP. A
security flaw could exist in both version of the operating system, but having
ASLR enabled may make it less critical on Windows 7 than on Windows XP, Van
Horenbeeck said. Having two ratings would help system administrators assess
risk more accurately.
Microsoft will also be calculating a "Denial of Service"
risk score. A remote code execution vulnerability that is difficult to exploit
can still crash a computer, Van Horenbeeck wrote. A denial of service may be
"permanent," in which case the program or operating system exits unexpectedly
and requires a restart, or "temporary," in which case the program or operating
merely becomes unresponsive during the course of the attack.
"For administrators of internet-facing services, this can
often be the difference between a highly important, and insignificant
vulnerability," Van Horenbeeck wrote.
April was a tough month for system administrators trying to
stay ahead of the patches. Along with last month's massive update, they also
had to consider Adobe's out-of-band updates to fix zero-day vulnerabilities in
, Acrobat and Reader. Systems
administrators also had to be aware of Apple's
updates for Safari and iTunes
, as well as Oracle's quarterly Critical Patch
"Take advantage of this lighter Patch Tuesday to catch up
with the massive patch day last month and all of the other 3rd party security
releases since then," Miller said.
The patches are expected to be released on May 10.