News
        
        Microsoft's May Patch Aims at Office Vulnerabilities
        
        
        
        
		After a thick  April patch, this month's security update, released  today, is light with only two "critical" fixes.
The first critical fix (MS10-030)  in the May patch is a Windows-based update resolving a vulnerability affecting Outlook Express,  Windows Mail and Windows Live Mail. The applicable operating systems for this  fix are Windows 2000, XP, Vista, Server 2003  and Server 2008, all of which have a severity rating of critical.
The second critical fix (MS10-31)  also addresses a single vulnerability, in this case affecting Microsoft Visual  Basic for Applications (VBA). Microsoft says that this fix applies to Microsoft  VBA SDK 6.0 and third-party applications that use Microsoft VBA. Additionally,  Microsoft Office XP, Microsoft Office 2003, and the 2007 Microsoft Office  System are affected by this patch, with the risk implications described as "important."
Both fixes are for vulnerabilities that could allow remote  code execution attacks. The vulnerabilities would require social engineering to  exploit, according to security experts. However, the VBA vulnerability requires  fewer actions from a user for a hacker to execute the attack. An attacker would  simply have to convince a user to open a maliciously crafted file -- such as an  Office document that supports VBA -- and the user's machine would be  compromised, according to Joshua Talbot, security intelligence manager at Symantec  Security Response.
"I can see this being used in targeted attacks, which  are on the rise," Talbot said.
Both patches may require system restarts to take effect, but  IT professionals at least have a light slate for this patch cycle. The next  month may prove different.
"Lately, Microsoft seems to be alternating between  lightly patching one month and then heavy the next," Talbot said. "So,  one has to wonder what next month holds in store. I also wouldn't be surprised  to see an update in June for the SharePoint cross-site scripting vulnerability  that recently came to light. Though we haven't seen any exploits for it in the wild  yet, it appears fairly trivial to take advantage of."
Microsoft issued Security  Advisory 983438 late last month for this SharePoint vulnerability. At the  time, the software giant said that it wasn't aware of any exploits but was  monitoring the threat landscape. 
Microsoft also released information about its nonsecurity  releases through Windows Update, Microsoft Update and Windows Server Update  Services. The info can be tapped via this Knowledge Base article.
        
        
        
        
        
        
        
        
        
        
        
        
            
        
        
                
                    About the Author
                    
                
                    
                    Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.