Microsoft plans critical update to Windows Server next week
Also slates fixes for PowerPoint, and will debut modified exploitability index
Computerworld - Microsoft today said it will patch a critical bug in its Windows server software and two other vulnerabilities in PowerPoint, the presentation maker bundled with Office.
After April's record-setting Patch Tuesday -- which fixed 64 flaws -- May's much lighter load was not surprising. Microsoft habitually takes an even-odd approach, with even-numbered months featuring fewer updates.
Of the two updates slated to ship May 10, Microsoft has classified one as "critical," the highest threat ranking in its four-step score, and the other as "important," the next-most serious.
The critical update will patch Windows Server 2003, Windows Server 2008 and Windows Server 2008 R2, the three still-supported editions of its server operating system.
The vulnerability exists even in the newest version, Server 2008 R2 Service Pack 1 (SP1). Windows desktop operating systems, including Windows XP, Vista and Windows 7, are not affected, however.
Without more information, it's impossible to tell what server component Microsoft will patch, said Andrew Storms, director of security operations at nCircle Security. "It's definitely a [reading of the] tea leaves," said Storms. "It could be an Active Directory component, or the DHCP (Dynamic Host Configuration Protocol) component."
Because the bug planned for patching exists on servers running Windows, Storms said that network administrators would likely require a day, perhaps two, additional time to test the fix before applying it.
The other bulletin applies to Office XP, Office 2003 and Office 2007, Microsoft said in its typically bare-bones advance notification today. The company specifically called out PowerPoint as the Office application that will receive a fix. Also slated for patching: Office 2004 for Mac and Office 208 for Mac.
Next week's patch for Office XP's edition of PowerPoint will be one of its last: That 10-year-old suite will not receive security updates after July 12.
The newest versions -- Office 2010 on Windows and Office 2011 for Mac -- are immune to the PowerPoint bugs.
Storms put his bet on a file format flaw. "I'm not surprised that it's PowerPoint, that it's probably a file format vulnerability," he said. "We shouldn't be surprised that more PowerPoint bugs are appearing as attackers shift their focus away from Word and Excel to PowerPoint."
Alongside the advanced warning, Microsoft also announced it would debut a changed exploitability index on Tuesday. The index, which debuted in October 2008, is a rating system that forecasts the likelihood a vulnerability will be exploited in the coming month.
Starting next week, the index will separate the most recent editions of its software from older versions.
One column in the index will show the ratings for Windows 7, Office 2010, Server 2008 R2 and the like; the other will post exploitability scores for older software.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts