News

Microsoft's May Patch Aims at Office Vulnerabilities

After a thick April patch, this month's security update, released today, is light with only two "critical" fixes.

The first critical fix (MS10-030) in the May patch is a Windows-based update resolving a vulnerability affecting Outlook Express, Windows Mail and Windows Live Mail. The applicable operating systems for this fix are Windows 2000, XP, Vista, Server 2003 and Server 2008, all of which have a severity rating of critical.

The second critical fix (MS10-31) also addresses a single vulnerability, in this case affecting Microsoft Visual Basic for Applications (VBA). Microsoft says that this fix applies to Microsoft VBA SDK 6.0 and third-party applications that use Microsoft VBA. Additionally, Microsoft Office XP, Microsoft Office 2003, and the 2007 Microsoft Office System are affected by this patch, with the risk implications described as "important."

Both fixes are for vulnerabilities that could allow remote code execution attacks. The vulnerabilities would require social engineering to exploit, according to security experts. However, the VBA vulnerability requires fewer actions from a user for a hacker to execute the attack. An attacker would simply have to convince a user to open a maliciously crafted file -- such as an Office document that supports VBA -- and the user's machine would be compromised, according to Joshua Talbot, security intelligence manager at Symantec Security Response.

"I can see this being used in targeted attacks, which are on the rise," Talbot said.

Both patches may require system restarts to take effect, but IT professionals at least have a light slate for this patch cycle. The next month may prove different.

"Lately, Microsoft seems to be alternating between lightly patching one month and then heavy the next," Talbot said. "So, one has to wonder what next month holds in store. I also wouldn't be surprised to see an update in June for the SharePoint cross-site scripting vulnerability that recently came to light. Though we haven't seen any exploits for it in the wild yet, it appears fairly trivial to take advantage of."

Microsoft issued Security Advisory 983438 late last month for this SharePoint vulnerability. At the time, the software giant said that it wasn't aware of any exploits but was monitoring the threat landscape.

Microsoft also released information about its nonsecurity releases through Windows Update, Microsoft Update and Windows Server Update Services. The info can be tapped via this Knowledge Base article.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

Featured

  • Microsoft Offers Support Extensions for Exchange 2016 and 2019

    Microsoft has introduced a paid Extended Security Update (ESU) program for on-premises Exchange Server 2016 and 2019, offering a crucial safety cushion as both versions near their Oct. 14, 2025 end-of-support date.

  • An image of planes flying around a globe

    2025 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.

  • Notebook

    Microsoft Centers AI, Security and Partner Dogfooding at MCAPS

    Microsoft's second annual MCAPS for Partners event took place Tuesday, delivering a volley of updates and directives for its partners for fiscal 2026.

  • Microsoft Layoffs: AI Is the Obvious Elephant in the Room

    As Microsoft doubles down on an $80 billion bet on AI this fiscal year, its workforce reductions are drawing scrutiny over whether AI's ascent is quietly reshaping its human capital strategy, even as official messaging avoids drawing a direct line.