Microsoft is planning a light patching month in May, indicating in its advance notification to customers on Thursday that it would issue two bulletins on Patch Tuesday, one rated “critical,” addressing a vulnerability in Microsoft Windows.
This change makes it easier for customers on recent platforms to determine their risk given the extra security mitigations and features built in to Microsoft’s newest products.
Maarten Van Horenbeeck, senior security program manager, Microsoft
The software giant said the critical bulletin addresses a single Windows vulnerability affecting Windows Server 2003, 2008 and 2008 r2. A second bulletin, rated “important” addresses two flaws in Microsoft Office PowerPoint 2002, 2003 and 2007, as well as Microsoft Office 2004 and 2008 for Mac. The bulletins are scheduled to be issued on May 10.
Exploitability Index changes
In addition, Microsoft announced changes to its Exploitability Index, designed to help IT administrators prioritize patching deployments. The index assigns a number based on the likelihood of functioning exploit code surfacing over the first 30 days of a patch release.
The revamped index will include two index ratings per vulnerability, assigning a rating for the most recent platform and for older versions of the software. The goal of the changes are to make vulnerability assessment more clear and digestible for customers, wrote Maarten Van Horenbeeck, senior security program manager, in the Microsoft Security Response Center blog.
“This change makes it easier for customers on recent platforms to determine their risk given the extra security mitigations and features built in to Microsoft’s newest products,” wrote Van Horenbeeck. “Under the previous system, vulnerabilities were given an aggregate rating across all product versions.”
Van Horenbeeck said the Exploitability Index was criticized for not taking into account more recent mitigations implemented in the operating systems, such as Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP) and other technologies that are in place to help prevent exploitation of vulnerabilities. ASLR, for example, is not implemented by default on Windows XP.
Denial of service risk
The revamped Exploitability Index will also take into account the risk posed by denial-of-service (DoS) attacks, which can cause a system to become unresponsive or crash. The index will indicate whether a DoS attack would be “permanent,” making a program or operating system crash and causing it to be unresponsive during an attack.
“For administrators of Internet-facing services, this can often be the difference between a highly important, and insignificant vulnerability,” wrote Van Horenbeeck.
In an review of Exploitability Index ratings over the last eight months, Microsoft found that out of a total of 256 ratings, 97 issues were less serious or not applicable in the latest version of the product. There were seven instances in which the most recent product version was affected and not older platforms.
Paul Henry, security and forensic analyst at vulnerability management vendor, Lumension Security Inc., said the revamped index improves upon an already helpful assessment tool for administrators who need to fine tune their priorities.
"Microsoft already does the best job in the industry with background info on their patches and now they have taken it up another notch," Henry wrote in an email message.