Microsoft is only planning to release two new security bulletins for the May Patch Tuesday next week. The exceptionally light load is a welcome reprieve for IT admins who are still struggling to test and implement the record onlsaught of security bulletins and updates from the April Patch Tuesday.
One of the two security bulletins is rated Critical, while the second is merely Important--a nice change of pace from last month when nine of the 17 security bulletins were ranked Critical. Many IT admins are not only still hard at work applying last month's Microsoft patches, but they have also had to deal with multiple zero-day flaws and patches from Adobe for Flash, Acrobat, and Reader.
Wolfgang Kandek, CTO of Qualys, explains in a blog post that not only are there only two security bulletins this month, but the vulnerabilities have limited scope as well. "The first bulletin is rated critical for Windows, but is applicable only to Windows 2003 and 2008. The second bulletin is for Microsoft Office and is rated important and applies to Office XP, 2003, 2007 and 2004 for Mac."
Kandek also notes, however, that its not an accident that the latest versions of the Windows operating system, as well as the current Microsoft Office for both Windows and Mac OS X are not impacted by these flaws.
Andrew Storms, director of security operations for nCircle, points out, "Considering all the concerns security experts have with Adobe, Sony, Epsilon, and Apple right now, a light Microsoft month is more than good news."
Along the same vein as Kandek's observation about the current versions of Microsoft software being less vulnerable to, or affected by flaws, Microsoft is introducing a modified exploit index rating system this month. The new system separates the exploit index rating of the latest platform and software releases from the legacy versions.
Storms says, "The new rating system provides users with maximum visibility into the relative safety of the newest products."
Check back next Tuesday for more detailed analysis of the Microsoft Patch Tuesday security bulletins and updates once they are released.