The other OS vendors out there can only dream of having a few bulletins and a handful of patches in a month's time.
This is a daily occurence for Linux and Apple drops the patch bomb with hundreds of fixes several times a year.
Microsoft plans to ship two bulletins next Tuesday to fix multiple remote code execution vulnerabilities in Windows, Microsoft Office and Microsoft Visual Basic for Applications.
Both bulletins are rated “critical,” Microsoft’s highest severity rating. The company describes a critical flaw as one whose exploitation could allow the propagation of an Internet worm without user action.
According the advance notice for this month’s patch batch, both updates may require a restart.
Microsoft said Windows 7 and Windows Server 2008 R2 customers will be offered the Windows related patch but made it clear that those OS versions are not vulnerable in their default configurations.
This month’s updates will NOT include a fix for a known cross-site scripting flaw in SharePoint, Microsoft’s collaboration product.
[ SEE: Serious XSS flaw haunts Microsoft SharePoint ]
Here’s a quick update on that from the MSRC blog:
Concerning the recent Security Advisory for SharePoint, 983438, we will not be releasing an update for that with the May bulletins. Our teams are still working on an update for that issue. In the meantime, we recommend customers review the advisory and apply the workarounds.
If you are running Windows 2000 or Windows XP SP2, you should pay special attention to this guidance from Microsoft:
On a side note, I want to also continue reminding customers of Windows 2000 and Windows XP SP2 that all support for these platforms will end after July 13, 2010. Customers should upgrade to either a supported operating system or the latest service pack in order to keep receiving security updates.
The patches are expected to cross the wires around 11 AM Eastern on Tuesday May 11. Patch management administrators should treat both these updates with the highest possible priority.
