Microsoft updated today the security advisory page for May and we are expecting eight security bulletins next Tuesday. Three of the bulletins address vulnerabilities that can be used by the attacker for Remote Code Execution (RCE) which are the highest priority type vulnerabilities.
Bulletin #1 is rated critical, addresses Internet Explorer (IE) and affects all currently supported versions from IE6-IE11. IE6, IE7 and IE8 are being patched for Windows Server 2003, but not for Windows XP, which had its End-of-Life date last month in April 2014 and will not receive any more regular updates. The Internet Explorer update should contain the cumulative fix for last months 0-day, already addressed by Microsoft in an out-of-band fashion last week in MS14-021 and the vulnerabilities disclosed during the year’s PWN2OWN competition at CanSecWest. This update should be high on your list, especially if you have not applied MS14-021 yet.
Bulletin #2 addresses critical vulnerabilities that also allow for RCE in Sharepoint server 2007, 2010 and 2013, plus a number of other server platforms. This should be high on your list, especially if you expose any of the listed platforms on the Internet.
Bulletin #3 is an update for Office 2007, 2010 and 2013. It is rated important and provides RCE to the attacker, indicating that the attacker vector is a malicious document that the target has to open in order to trigger the attack. Attackers would use a document like that in a social engineering attack, which aims at convincing the user to open the document, for example by making it appear as coming from the user’s HR department or promising information about a subject of interest to the user.
The remaining bulletins are fixes for Windows, .Net and Office that address local vulnerabilities, with the exception of Bulletins #7 that addresses a Denial-of-Service condition in Server 2008 R2 and 2012 R2.
In addition to Microsoft, Adobe has announced that they will publish a new version of Adobe Reader. Since the PDF format is frequently abused by attackers, you should include Adobe Reader on your priority list.