Microsoft's May Patch Tuesday: Tiny but potent

With just two security updates in May, industry watchers warn IT not to skimp on thoroughly patching their systems.

It's not the quantity of the security updates issued by Microsoft on Patch Tuesday, but the quality, according to security industry watchers. Microsoft's May seemingly skimpy release of two security bulletins could give IT managers a false sense of security, especially considering one of the vulnerabilities could live on post-patching in third-party applications.

Microsoft goes small for next week's Patch Tuesday

"Since the big blast of patches in October, I think some of us have been desensitized by high bulletin numbers and pay less attention to updates that only address a couple of vulnerabilities," says Jason Miller, data and security team manager at Shavlik Technologies in Minneapolis. "Every time Microsoft rates a security bulletin critical, patching is also critical because these are potentially dangerous vulnerabilities."

Deemed critical by Microsoft, the security bulletin MS10-031 resolves a vulnerability in Microsoft Visual Basic for Applications, which could allow remote code execution "if a host application opens and passes a specially crafted file to the Visual Basic for Applications runtime," according to the company. That means an attacker could take control of the impacted system, Microsoft says. And industry watchers argue that another layer of risk is added on top of the vulnerability because this software from Microsoft is used in third-party applications from other vendors. And that means there may be a slew of patches coming out from third-party vendors that use Microsoft's Visual Basic for Applications in their products.

“I’ve put the Visual Basic for Applications vulnerability first on my list,” said Joshua Talbot, security intelligence manager at Symantec Security Response, in a statement. “The VBA vulnerability requires less action from a user. For instance, an attacker would simply have to convince a user to open a maliciously crafted file—likely an Office document—which supports VBA and the user’s machine would be compromised. I can see this being used in targeted attacks, which are on the rise.”

MS10-030 is the lesser of two evils with this month's bulletin, industry watchers agree. Still categorized as critical by Microsoft, the security bulletin addresses a vulnerability in Outlook Express, Windows Mail and Windows Live Mail - and could allow remote code execution if an end user visits a malicious e-mail server, according to Microsoft.

"It's possible that an attacker could somehow convince a user to do this - for example by enticing them to sign up for a new free mail service - but the steps required to do so would probably be a red flag for most users," Symantec's Talbot said.

Posted by Denise Dubie

Do you Tweet? Follow Denise Dubie on Twitter here.

Like this post? Check out these others.

• Data Protection Manager 2010 Protection Best Practices
• After three years effort, Microsoft's open source IronRuby stable and available
• Bigger is better when it comes to mailboxes, Microsoft says
• Microsoft ... oh how you've changed! (Not)
• Understanding How System Center Operations Manager Works
• Patch Tuesday brings bevy of critical updates

Plus, visit the Microsoft Subnet web site for more news, blogs, podcasts. Subscribe to all Microsoft Subnet bloggers. Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)
Follow All Microsoft Subnet bloggers on Twitter
Follow Julie Bort on Twitter

• Microsoft
• Microsoft
• Patch Management
• Patch Tuesday
• security
• Shavlik
• Symantec
• vulnerabilities