Microsoft Patch Tuesday: two updates planned
Following last month's record-breaking Patch Tuesday, Microsoft has announced that it plans to release just two bulletins on Tuesday 10 May. According to the company, the bulletins – one of which is rated as "Critical" – both address remote code execution vulnerabilities.
The first bulletin will correct issues in Windows Server 2003 and 2008, while the second bulletin, rated as "Important", will patch holes found in Office XP, 2003 and 2007, as well as Office 2004 and 2008 for Mac. The Open XML File Format Converter for Mac and the Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats are also affected.
In addition, Microsoft has said that it is making changes to the Exploitability Index, its vulnerability rating system, to make it "more clear and digestible for customers". In future, Microsoft will publish two ratings per vulnerability: "one for the most recent platform, the other as an aggregate rating for all older versions of the software".
Microsoft says that it hopes that the change will make it easier for customers on recent platforms to determine their actual risk, given the built-in security mitigations in some of its products. Windows 7, for example, includes additional security features like data execution prevention (DEP) and address space layout randomisation (ASLR); however, this functionality is not included in older versions of Windows, such as Windows XP.
- Return of the sprayer - JIT Spraying: Exploits to beat DEP and ASLR, a feature from The H.
- Damage limitation - Mitigating exploits with Microsoft's EMET, a feature from The H.