Microsoft Plans Two Security Bulletins for Tiny Patch Tuesday

Microsoft's tiny May Patch Tuesday update next week will include only two bulletins to fix security vulnerabilities in Windows Server and Office applications.

Microsoft will be giving IT administrators a break with only two security bulletins in May's Patch Tuesday. The company had released 17 bulletins in April.

Both scheduled bulletins in May's Patch Tuesday release will address security vulnerabilities in Windows and the Office suite, Microsoft said in its advance notice on May 5. One bulletin is categorized as "critical" and the other is "important." In contrast, there were nine "critical" bulletins in April.

Microsoft tends to follow months with heavy update loads with light releases, according to Jason Miller, a data team manager with Shavlik Technologies.

Despite the small release, system administrators should prioritize the updates. "Both bulletins are for remote code-execution vulnerabilities, so IT administrators should track them closely and address them quickly," said Wolfgang Kandek, CTO at vulnerability scanning services firm Qualys.

The "critical" bulletin will affect all supported versions of Windows Server, including 2003, 2008 and 2008 R2. The update applies to both Windows Server 2008 and 2008 R2 regardless of whether or not the operating system was installed with the Server Core option, the company said. The security hole exposes the server to a remote code execution attack.

The desktop versions, Windows XP, Vista and 7 will not need the update. Microsoft did not disclose at this time any details regarding the security flaw being fixed.

The "important" bulletin addresses a security flaw that, if left unpatched, would allow attackers to remotely execute arbitrary code on the system. The vulnerability affects Microsoft Office XP and 2003 on Windows and Office 2004 and 2008 for Mac OS X. PowerPoint XP, 2003 and 2007 will be patched as well as core Office files and the Office Compatibility Pack.

The latest version, Office 2010, is not affected by the flaw, according to Microsoft.

Microsoft separately announced it will be modifying its Exploitability Index, a rating system that indicate the likelihood of a security flaw being used in an attack within the next 30 days, Maarten Van Horenbeeck, senior security program manager, wrote on TechNet. Starting with next week's Patch Tuesday release, the company will provide two index ratings for each bug, one for new platforms and another for older versions, Van Horenbeeck said.

Customers will be able to prioritize the security updates that match the systems they own. With two ratings, administrators managing newer machines can take into consideration new security features built-in to Windows 7 SP1 and Office 2010 when prioritizing bulletins,

Windows 7 has several new security technologies such as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) baked into the operating system to help prevent vulnerabilities from being exploited.

These measures are not available by default on Windows XP. A security flaw could exist in both version of the operating system, but having ASLR enabled may make it less critical on Windows 7 than on Windows XP, Van Horenbeeck said. Having two ratings would help system administrators assess risk more accurately.

Microsoft will also be calculating a "Denial of Service" risk score. A remote code execution vulnerability that is difficult to exploit can still crash a computer, Van Horenbeeck wrote. A denial of service may be "permanent," in which case the program or operating system exits unexpectedly and requires a restart, or "temporary," in which case the program or operating merely becomes unresponsive during the course of the attack.

"For administrators of internet-facing services, this can often be the difference between a highly important, and insignificant vulnerability," Van Horenbeeck wrote.

April was a tough month for system administrators trying to stay ahead of the patches. Along with last month's massive update, they also had to consider Adobe's out-of-band updates to fix zero-day vulnerabilities in Flash, Acrobat and Reader. Systems administrators also had to be aware of Apple's updates for Safari and iTunes, as well as Oracle's quarterly Critical Patch Update release.

"Take advantage of this lighter Patch Tuesday to catch up with the massive patch day last month and all of the other 3rd party security releases since then," Miller said.

The patches are expected to be released on May 10.