After dishing out a record number of fixes in April, Microsoft only has two security bulletins on the menu this month. While May's Patch Tuesday won't be shattering any records, you'll still want to grab the updates when they become available next week. Both of the scheduled bulletins address security vulnerabilities in Windows and Office, with one classified as "critical" and the other as "important."
The critical bulletin affects all supported versions of Windows Server (2003, 2008, and 2008 R2), while Windows XP, Vista and 7 won't require the update. Microsoft hasn't detailed exactly what the critical patch will fix, but Andrew Storms of nCircle Security suggests that it might have something to do with an Active Directory or DHCP component. "It's definitely a [reading of the] tea leaves," Storms said.
The important bulletin is equally mysterious, though it also addresses a flaw that could lead to remote code execution. The vulnerability is apparently present in Microsoft Office XP and 2003 as well as Office 2004 and 2008 for Mac. Storms believes this patch might target a file format bug in PowerPoint. Both updates may require a reboot and could still prove to be an annoyance for IT administrators.
Along with providing advanced notice about Tuesday's patches, Microsoft shared upcoming changes to its Exploitability Index, a rating system that helps customers understand the likelihood that a specific vulnerability will be exploited. In a TechNet article, Microsoft said it would soon provide two Exploitability Index ratings per vulnerability: one for new platforms and another for older versions.
"This change makes it easier for customers on recent platforms to determine their risk given the extra security mitigations and features built in to Microsoft's newest products; under the previous system, vulnerabilities were given an aggregate rating across all product versions." Storms noted that this was at least partially a marketing decision to show that Microsoft's newest software is the least risky.