MS Readies Light Patch Tuesday, but Omission Raises Eyebrows

Just five weeks after it was forced to release an emergency patch for a zero-day flaw in Internet Explorer (IE), Microsoft may again have to consider yet another out-of-schedule fix for an unaddressed problem with its software. In the meantime, the upcoming May Patch Tuesday (due next week) addresses just two "critical" issues.

Microsoft typically releases a batch of fixes for various software issues and security threats affecting its products on the second Tuesday of every month. In past months, the number of fixes offered have ranged from high to low: in March, the number of vulnerabilities was a fairly paltry eight, but February brought a pretty staggering 26. Last month there were 25 issues that needed fixing.

Two Vulnerabilities Marked "Critical"

This month is again light, keeping up with a recent trend where a heavy month is followed by a relatively breezy one. For May, just two vulnerabilities have been designated "critical", Microsoft's highest alert for security threats. Both involve issues that could lead to Remote Code Execution, or RCE, allowing a hacker to take control of another user's system.

The first vulnerability is related to the operating system and is marked critical for Windows 2000, XP, Vista and Windows Server 2003 and 2008. Microsoft says Windows Server 2008 R2 and Windows 7 are not affected, but has marked a fix "important" and encourages users of those OS' to apply the update. (Source: computerworld.com)

A second critical issue affects the popular Office Suite, including Office XP, Office 2003/2007. The patch is directed at a hole in Microsoft Visual Basic for Applications as well as Microsoft Visual Basic for Applications SDK, which could allow a hacker remote entry.

SharePoint Omission Raises Eyebrows

The fixes will be welcomed by users, but already some critics are wondering where is a fix for a security vulnerability in Microsoft SharePoint. A security advisory announced by Microsoft in April pointed out that hackers could take over systems running Windows SharePoint Services 3.0 and/or Microsoft Office SharePoint Server 2007.

"Our teams are still working on an update for that issue," said Jerry Bryan, spokesman for Microsoft's Security Response Center. "In the meantime, we recommend customers review the advisory and apply the workarounds." (Source: rcpmag.com)

Thus, it's possible the rather out-of-ordinary emergency patch released in late March may not be Microsoft's last in 2010.