One bulletin, rated “critical”, fixes flaws in Windows Server 2003, 2008, and 2008 R2; the other bulletin, rated “important”, patches problems with Office XP, 2003, and 2007 for Windows, as well as Office 2004 and 2008 for Mac. Both bulletins address remote code execution vulnerabilities, and patching may require a restart.
While the first bulletin is rated critical, it has “limited applicability”, noted Wolfgang Kandek, chief technology officer at Qualys. And users of newer versions of Office are not affected by the second bulletin, he added.
“However, as both bulletins are for remote code execution vulnerabilities, IT administrators should track them closely and address quickly”, Kandek stressed.
Andrew Storms, director of security operations at nCircle, said the light load was a welcome reprieve. “Considering all the concerns security experts have with Adobe, Sony, Epsilon, and Apple right now, a light Microsoft month is more than good news."
Paul Henry, security and forensic analyst at Lumension, stressed that there are major security concerns beyond Patch Tuesday: “While the light patch load for May will be disruptive, it isn’t out of the ordinary. What we do need to worry about is that in light of recent mega-breaches, we are obviously not getting it right when it comes to protecting ourselves. People need to re-evaluate their security infrastructure and perhaps even their priorities.”
Last week, Microsoft announced it is modifying its Exploitability Index, a rating system that indicates the likelihood of a security flaw being used in an attack within the first 30 days of a bulletin’s release.
“As of this month, we are making some changes to the rating system to make vulnerability assessment more clear and digestible for customers. Specifically, we will be publishing two Exploitability Index ratings per vulnerability – one for the most recent platform, the other as an aggregate rating for all older versions of the software. This change makes it easier for customers on recent platforms to determine their risk given the extra security mitigations and features built in to Microsoft’s newest products; under the previous system, vulnerabilities were given an aggregate rating across all product versions”, Microsoft explained in a blog.