News

May Security Update To Come with Critical Office Fix

Microsoft's Advance Security Bulletin indicates that the May fixes will feature three "critical" and four "important" bulletin items targeting 23 vulnerabilities. Security issues in Office, Windows, .NET Framework and Silverlight are included in this round of fixes. As with every Advance Notification, details of the actual bulletin items won't be provided until after the patch release.

While the total number of bulletin items dispensed by Microsoft is low so far for this year (compared with the same timeframe last year), the number of vulnerabilities being addressed is higher. It's measured in terms of common vulnerability and exposures, or CVEs.

"CVEs correspond to the number of bugs fixed, and this year Microsoft is on a CVE streak," said Andrew Storms, director of security operation at nCircle. "With the 23 CVEs in May's patch, Microsoft's CVE count has already reached 70 for 2012. This time last year Microsoft issued just 59 CVEs."

A critical remote code execution bulletin for Microsoft Office tops the priority list this month. In fact, remote code execution flaw fixes will account for five of the seven May bulletins. The remaining two, which both fall under the important classification, will deal with elevation-of-privilege issues in Windows.

In other Patch Tuesday-related news, Microsoft announced that it had found the party responsible for leaking proof-of-concept (POC) code for an RDE exploit ahead of its bulletin release in March.

"During our investigation into the disclosure of confidential data shared with our Microsoft Active Protections Program (MAPP) partners, we determined that a member of the MAPP program, Hangzhou DPTech Technologies Co., Ltd., had breached our non-disclosure agreement (NDA)," wrote Microsoft in a blog entry. "Microsoft takes breaches of our NDAs very seriously and has removed this partner from the MAPP Program."

Microsoft also said that it is strengthening its patching and disclosure process to prevent something like this incident happening in the future.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.

comments powered by Disqus
Most   Popular