Sunday, May 8, 2011
Patch Tuesday Will Be Light, with Only Two Vulnerabilities
After April's backbreaking Patch Tuesday, May's version will be light, with only two security bulletins. The patches will fix remote-code vulnerabilities in Windows Server and Microsoft Office and may require a restart. Microsoft has also changed its Exploitability Index to make it clearer that new software versions are less risky.
Microsoft on Thursday offered its monthly advance warning for Patch Tuesday. After a backbreaker in April, Microsoft will only issue two security Relevant Products/Services bulletins on May 10.
One of the bulletins is rated critical. This flaw affects Microsoft Windows Server 2003 and 2008 only. The second bulletin is rated important, and affects Microsoft Office XP, 2007, 2003 and 2004 for Mac.
"As it happened before on several occasions, users of the new versions of Office for both Windows and Mac OS X are not affected by the vulnerabilities," said Wolfgang Kandek, CTO of Qualys. "However, as both bulletins are for remote-code-execution vulnerabilities, IT Relevant Products/Services administrators should track them closely and address quickly."
Last month, patches rained as Microsoft released 17 security bulletins that addressed a total of 64 vulnerabilities. This month, flowers are blooming with only two patches, quipped Paul Henry, security and forensics analyst for Lumension.
"However, there will still be some disruption from these bulletins on Patch Tuesday," he added. "Both provide for remote code execution and may even require a restart."
Henry noted that recent breaches saw user credentials being distributed over the Internet, making passwords ineffective. In addition to protecting passwords, he said, IT admins need to make certain other layered security measures are in place to prevent unauthorized people from downloading and running malicious software Relevant Products/Services in the environment Relevant Products/Services. He stressed that no one is immune to attack.
"While the light patch load for May will be disruptive, it isn't out of the ordinary. What we do need to worry about is that in light of recent mega-breaches, we are obviously not getting it right when it comes to protecting ourselves," Henry said. "People need to reevaluate their security infrastructure Relevant Products/Services, and perhaps even their priorities."
Exploitability Index Changes
Microsoft on Thursday also announced changes to its Exploitability Index, which assesses the likelihood of functional exploit code being developed for a particular vulnerability. Microsoft launched the effort in 2008, and is now making it more comprehensive.
"The Exploitability Index will continue to provide an aggregate exploitability rating across all affected products, and the improvements made to Exploitability Index will now offer additional information to help customers prioritize bulletins, specifically for the most recent platforms, e.g. Windows 7 Service Pack 1 and Office 2010," said Pete Voss, senior response communications Relevant Products/Services manager at Microsoft Trustworthy Computing.
Using a recent example, Voss noted the Exploitability Index for CVE-2011-0097, a security issue addressed by MS11-021 in the April release. It was originally rated a "1 -- Consistent Exploit Code Likely." Under the original system, the Exploitability Index didn't specifically illustrate that customers using Excel 2010 were at less risk. With Excel 2010, CVE-2010-0097 would rate a "2 -- Inconsistent Exploit Code Likely."
"In fact, our research has shown that 37 percent of the vulnerabilities addressed since July 2010 have had similar results," Voss said. "The latest platform was either entirely unaffected, or significantly more difficult to exploit."