Microsoft: Only Two 'Critical' Patches Coming Tuesday
May's "Patch Tuesday" drop will be relatively painless, with only two "critical" patches to deal with. But why isn't last week's SharePoint flaw being addressed?
Microsoft is planning to deliver a pair of "critical" patches next week during its monthly "Patch Tuesday" event. The two pending patches are meant to fix critical security holes in several versions of Windows, as well as in Visual Basic for Applications.
However, neither of them will fix a zero-day vulnerability in Microsoft's (NASDAQ: MSFT) SharePoint Server 2007 and SharePoint Services 3 that the company warned customers about last week.
"Concerning the recent Security Advisory for SharePoint, we will not be releasing an update for that with the May bulletins. Our teams are still working on an update for that issue," Jerry Bryant, group manager for response communications in the Microsoft Security Response Center (MSRC), said in a blog post Thursday.
Microsoft typically sends out an advance notification e-mail the Thursday prior to what's known as "Patch Tuesday" -- the second Tuesday of each month when the company releases most of its patches for that month -- in order to let IT professionals know what fixes are in store. However, the SharePoint security flaw may prompt the company to go outside of the Patch Tuesday cycle in order to fix SharePoint.
"It seems likely that we can ... expect an out-of-band patch this month for SharePoint given the critical nature of the cross-site scripting vulnerability, which threatens sensitive corporate information housed on the enterprise content management system," Paul Henry, security and forensic analyst for security firm Lumension, said in an e-mail to InternetNews.com.
Last month, Microsoft released five patches that were rated as critical, the highest level in the company's four-tier severity rating scale.
Among those was a patch for a zero-day vulnerability that Microsoft had warned customers about in early March that could let a malicious hacker penetrate users' systems by getting the Windows help system to execute rogue VBScript code.
Neither of the patches coming this month affect Windows 7.
Microsoft will release its May batch of security patches on Tuesday, May 11.
April 30, 2010
New zero-day flaw could enable attacks on Microsoft's SharePoint Server if a user clicks a booby-trapped link, giving new meaning to the term SharePoint collaboration.