Microsoft plans critical update to Windows Server next week

Also slates fixes for PowerPoint, and will debut modified exploitability index

Microsoft today said it will patch a critical bug in its Windows server software and two other vulnerabilities in PowerPoint, the presentation maker bundled with Office.

After April's record-setting Patch Tuesday -- which fixed 64 flaws -- May's much lighter load was not surprising. Microsoft habitually takes an even-odd approach, with even-numbered months featuring fewer updates.

Of the two updates slated to ship May 10, Microsoft has classified one as "critical," the highest threat ranking in its four-step score, and the other as "important," the next-most serious.

The critical update will patch Windows Server 2003, Windows Server 2008 and Windows Server 2008 R2, the three still-supported editions of its server operating system.

The vulnerability exists even in the newest version, Server 2008 R2 Service Pack 1 (SP1). Windows desktop operating systems, including Windows XP, Vista and Windows 7, are not affected, however.

Without more information, it's impossible to tell what server component Microsoft will patch, said Andrew Storms, director of security operations at nCircle Security. "It's definitely a [reading of the] tea leaves," said Storms. "It could be an Active Directory component, or the DHCP (Dynamic Host Configuration Protocol) component."

Because the bug planned for patching exists on servers running Windows, Storms said that network administrators would likely require a day, perhaps two, additional time to test the fix before applying it.

The other bulletin applies to Office XP, Office 2003 and Office 2007, Microsoft said in its typically bare-bones advance notification today. The company specifically called out PowerPoint as the Office application that will receive a fix. Also slated for patching: Office 2004 for Mac and Office 208 for Mac.

Next week's patch for Office XP's edition of PowerPoint will be one of its last: That 10-year-old suite will not receive security updates after July 12 .

The newest versions -- Office 2010 on Windows and Office 2011 for Mac -- are immune to the PowerPoint bugs.

Storms put his bet on a file format flaw. "I'm not surprised that it's PowerPoint, that it's probably a file format vulnerability," he said. "We shouldn't be surprised that more PowerPoint bugs are appearing as attackers shift their focus away from Word and Excel to PowerPoint."

Microsoft patched three PowerPoint vulnerabilities last month, and two in November 2010 .

Alongside the advanced warning, Microsoft also announced it would debut a changed exploitability index on Tuesday. The index, which debuted in October 2008, is a rating system that forecasts the likelihood a vulnerability will be exploited in the coming month.

Starting next week, the index will separate the most recent editions of its software from older versions.

One column in the index will show the ratings for Windows 7, Office 2010, Server 2008 R2 and the like; the other will post exploitability scores for older software.

Microsoft argued that change "makes it easier for customers on recent platforms to determine their risk, given the extra security mitigations and features built in to Microsoft's newest products."

Storms agreed -- up to a point. "They clearly want to show that their newer software is the least risky," he said, discerning some marketing behind the move.

"And I think that this could be confusing to some people," Storms added, citing the requirement for many enterprises to have to check two scoreboards, not just one.

In a detailed blog post on the exploitability index change, Maarten Van Horenbeeck, a senior security program manager at Microsoft, cited statistics to back up the company's assertion that its newer software is more secure.

Of the 256 exploitability ratings Microsoft has given in the last eight months, 97 were less serious or not applicable on the latest version of the affected product. "In contrast, only seven cases affected the most recent product version and not the older platforms," he said.

Microsoft publishes the exploitability index as part of its month security update summary. Next week's will be posted here.

The two updates will be released at approximately 1 p.m. ET on May 10.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is .

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags MicrosoftsecurityWindowssoftwareoperating systems

More about Andrew Corporation (Australia)AppleetworkExcelMicrosoftnCircleTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts