Today, Microsoft released its Advanced Notification for May which contains seven bulletins fixing a total of 23 vulnerabilities. Three of the bulletins are critical, and four are rated important. The bulletins affect all versions of Windows, and Microsoft Office (including for Mac OS X), plus Microsoft Silverlight.
The three critical bulletins provide fixes for Microsoft Office, Silverlight and .NET, with Bulletin 2 actually impacting all three products. These bulletins will be highest priority for IT admins, especially Bulletin 1, which has critical rating for Office 2003 and 2007 which we do not see all that often. Bulletin 1 also affects Office for the Macintosh, but is rated only important on that platform.
Bulletin 4 and 5 cover Microsoft Office as well and while they are ranked only "important" provide fixes for Remote Code Execution (RCE) vulnerabilities. They should be considered high priority as Bulletin 4 affects the free Excel viewer and bulletin 5 the free Visio viewer, giving us a clue as to what file formats contains the weaknesses.
If we include this month, Microsoft will have released 35 bulletins this year, roughly on par with last year’s 36, but we received them at a much steadier rate fluctuating between 6 and 9 so far. Last year, and in prior years we have seen much stronger differences ranging from 2 to 17. We are not sure this is intended, but it makes the workload much more predictable and is preferable to the more bursty release mode.
In related news, Microsoft seems to have found the leak in their MAPP program, where the originally submitted proof of concept code for the RDP vulnerability was seen in attacks in the wild. They have terminated the relationship with the offending company – Hangzhou DPTech Technologies.