News

Microsoft: Two 'Critical' Fixes Coming Tuesday

Microsoft expects to deliver just two critical fixes in its May security update, arriving this Tuesday.

The advance notification, released today by Microsoft, describes both fixes as addressing remote code execution (RCE) exploits in Microsoft's software. One will be a Windows patch, while the other addresses Microsoft Office applications.

The first security bulletin, the operating system patch, affects every supported Windows OS but is only deemed "critical" for Windows 2000, XP, Vista and Windows Server 2003 and 2008.

This security bulletin is labeled "important" for Windows 7 and Windows Server 2008 R2. However, Microsoft says these particular OS versions "are not vulnerable when in their default configurations."

The second security bulletin touches Office XP, Office 2003 and 2007 Microsoft Office System. Specifically, the fix is designed to stave off an RCE exploit in Microsoft Visual Basic for Applications and Microsoft Visual Basic for Applications SDK.

Both items may require a system restart after applying the patch.

As the May patch cycle nears, commentators have noticed the absence of a patch for a recently described vulnerability in SharePoint. Microsoft issued a security advisory (983438) late last month suggesting that attackers might achieve elevation-of-privilege status on systems running Windows SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007.

At this point, Microsoft is just recommending that IT pros use workaround solutions.

"Our teams are still working on an update for that issue," said Microsoft Security Response Center spokesman Jerry Bryant, in a released statement. "In the meantime, we recommend customers review the advisory and apply the workarounds."

While it appears that the SharePoint fix will not be in the May security update, it might be pushed forward by Microsoft, according to Paul Henry, a security and forensic analyst at Lumension.

"It seems likely that we can instead expect an out-of-band patch this month for Sharepoint, given the critical nature of the cross-site scripting vulnerability which threatens sensitive corporate information housed on the enterprise content management system," Henry said.

Meanwhile, as usual, Microsoft is also releasing information on nonsecurity releases on Windows Update, Microsoft Update and Windows Server Update Services via this Knowledge Base article.

Microsoft also repeated its warning in the May advance notification that support for Windows 2000 and Windows XP SP2 will end after July 13, 2010.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

Featured

  • Microsoft Appoints Althoff as New CEO for Commercial Business

    Microsoft CEO and chairman Satya Nadella on Wednesday announced the promotion of Judson Althoff to CEO of the company's commercial business, presenting the move as a response to the dramatic industrywide shifts caused by AI.

  • Broadcom Revamps VMware Partner Program Again

    Broadcom recently announced a significant update regarding its VMware Cloud Service Provider (VCSP) program, coinciding with the release of VMware Cloud Foundation (VCF) 9.0, a key component in Broadcom’s private cloud strategy.

  • Closeup of the new Copilot keyboard key

    Microsoft Updates Copilot To Add Context-Sensitive Agents to Teams, SharePoint

    Microsoft has rolled out a new public preview for collaborative "always on" agents in Microsoft 365 Copilot, bringing enhanced, context-aware tools into Teams channels, meetings, SharePoint sites, Planner workstreams and Viva Engage communities.

  • Windows 365 Cloud Apps Now Available for Public Preview

    Microsoft announced this week that Windows 365 Cloud Apps are now available for public preview. This aims to allow IT administrators to stream individual Windows applications from the cloud, removing the need to assign Cloud PCs to every user.