Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Microsoft to patch critical Windows Server vulnerability

Lighter Patch Tuesday follows record set in April

Article comments

Microsoft today said it will patch a critical bug in its Windows server software and two other vulnerabilities in PowerPoint, the presentation maker bundled with Office.

After April's record-setting Patch Tuesday, which fixed 64 flaws, May's much lighter load was not surprising. Microsoft habitually takes an even-odd approach, with even-numbered months featuring fewer updates.

Of the two updates slated to ship May 10, Microsoft has classified one as "critical," the highest threat ranking in its four step score, and the other as "important," the next most serious.

The critical update will patch Windows Server 2003, Windows Server 2008 and Windows Server 2008 R2, the three still-supported editions of its server operating system. The vulnerability exists even in the newest version, Server 2008 R2 Service Pack 1 (SP1). Windows desktop operating systems, including Windows XP, Vista and Windows 7, are not affected, however.

Without more information, it's impossible to tell what server component Microsoft will patch, said Andrew Storms, director of security operations at nCircle Security. "It's definitely a [reading of the] tea leaves," said Storms. "It could be an Active Directory component, or the DHCP (Dynamic Host Configuration Protocol) component."

Because the bug planned for patching exists on servers running Windows, Storms said that network administrators would likely require a day, perhaps two, additional time to test the fix before applying it.

The other bulletin applies to Office XP, Office 2003 and Office 2007, Microsoft said in its typically barebones advance notification today. The company specifically called out PowerPoint as the Office application that will receive a fix. Also slated for patching: Office 2004 for Mac and Office 208 for Mac.

Next week's patch for Office XP's edition of PowerPoint will be one of its last: That 10-year-old suite will not receive security updates after July 12. The newest versions, Office 2010 on Windows and Office 2011 for Mac, are immune to the PowerPoint bugs.

Storms put his bet on a file format flaw. "I'm not surprised that it's PowerPoint, that it's probably a file format vulnerability," he said. "We shouldn't be surprised that more PowerPoint bugs are appearing as attackers shift their focus away from Word and Excel to PowerPoint."

Alongside the advanced warning, Microsoft also announced it would debut a changed exploitability index on Tuesday. The index, which debuted in October 2008, is a rating system that forecasts the likelihood a vulnerability will be exploited in the coming month.

Starting next week, the index will separate the most recent editions of its software from older versions. One column in the index will show the ratings for Windows 7, Office 2010, Server 2008 R2 and the like. The other will post exploitability scores for older software.

Microsoft argued that change "makes it easier for customers on recent platforms to determine their risk, given the extra security mitigations and features built in to Microsoft's newest products."

Storms agreed, up to a point. "They clearly want to show that their newer software is the least risky," he said, discerning some marketing behind the move. "And I think that this could be confusing to some people," Storms added, citing the requirement for many enterprises to have to check two scoreboards, not just one.

In a detailed blog post on the exploitability index change, Maarten Van Horenbeeck, a senior security programme manager at Microsoft, cited statistics to back up the company's assertion that its newer software is more secure.

Of the 256 exploitability ratings Microsoft has given in the last eight months, 97 were less serious or not applicable on the latest version of the affected product. "In contrast, only seven cases affected the most recent product version and not the older platforms," he said.

Microsoft publishes the exploitability index as part of its month security update summary. Next week's will be posted here.



Share:

More from Techworld

More relevant IT news

Comments



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *