'Critical' Office Fix To Highlight May Security Update -- Redmondmag.com

'Critical' Office Fix To Highlight May Security Update

By Chris Paoli
05/03/2012

Microsoft's Patch Tuesday offering this month will feature three "critical" and four "important" bulletin items that will target 23 vulnerabilities.

Microsoft's Security Update will fix issues in Office, Windows, .NET Framework and Silverlight. As with every Advance Notification, details of the actual bulletin items won't be provided until after the patch release.

While the total number of bulletin items dispensed by Microsoft is low so far for this year (compared with the same timeframe last year), the number of vulnerabilities being addressed is higher. It's measured in terms of common vulnerability and exposures, or CVEs.

"CVEs correspond to the number of bugs fixed, and this year Microsoft is on a CVE streak," said Andrew Storms, director of security operation at nCircle. "With the 23 CVEs in May's patch, Microsoft's CVE count has already reached 70 for 2012. This time last year Microsoft issued just 59 CVEs."

A critical remote code execution bulletin for Microsoft Office tops the priority list this month. In fact, remote code execution flaw fixes will account for five of the seven May bulletins. The remaining two, which both fall under the important classification, will deal with elevation-of-privilege issues in Windows.

In other Patch Tuesday-related news, Microsoft announced today that it had found the party responsible for leaking proof-of-concept (POC) code for an RDE exploit ahead of its bulletin release in March.

"During our investigation into the disclosure of confidential data shared with our Microsoft Active Protections Program (MAPP) partners, we determined that a member of the MAPP program, Hangzhou DPTech Technologies Co., Ltd., had breached our non-disclosure agreement (NDA)," wrote Microsoft in a blog entry. "Microsoft takes breaches of our NDAs very seriously and has removed this partner from the MAPP Program."

Microsoft also said that it is strengthening its patching and disclosure process to prevent something like this incident happening in the future.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.

Featured

What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.
Fallout from Microsoft's 'Midnight Blizzard' Saga Hits Feds

When the Russian attack group Midnight Blizzard successfully breached Microsoft corporate e-mail accounts late last year, it apparently managed to steal U.S. government agency e-mails, too.