Microsoft plans to patch two critical vulnerabilities with two updates to Windows and Office next week.
"It's the predictable off month for Microsoft," said Andrew Storms, the director of security operations with nCircle Security. "That's all within the predictable pattern they've created."
Storms was referring to Microsoft's habit of alternating large- and small-sized updates. In April, the company issued 11 security updates that fixed a total of 25 flaws, including nine labelled 'critical', the highest threat ranking in its four-step scoring system.
In its monthly advance notification, Microsoft spelled out next week's single-digit Patch Tuesday.
The one-patch Windows update is labelled critical for Windows 2000, XP, Vista, Server 2003 and Server 2008, and as 'important' for Windows 7 and Server 2008 R2. According to Microsoft, the newest operating systems - Windows 7 and Server 2008 R2 - will be patched even though they're not vulnerable.
"Windows 7 and Windows Server 2008 R2 customers will be offered the Windows-related update but they are not vulnerable in their default configurations," said Jerry Bryant, a security program manager, in an entry on the Microsoft Security Response Center (MSRC) blog.
Microsoft did the same last month when it patched the VBScript scripting engine in Windows; although Vista, Server 2008, Windows 7 and Server 2008 R2 were not vulnerable, Microsoft updated the code just in case. The company slaps a 'defence-in-depth' label on such fixes.
"What they're saying is the vulnerable code exists in Windows 7 and 2008 R2," said Storms, "but that they also don't know what people might figure out in the future as a way to exploit it. The bug exists, but they're making the distinction that at the moment no one can think of a way to use it."
That could change down the road, Storms said, pointing out Microsoft's DEP (data execution prevention) and ASLR (address space layout randomisation) defences as examples. "They were viewed as a giant leap forward [when they were introduced], but that leap is starting to erode, and fast," he said.
Work on ways to bypass DEP and ASLR has stepped up of late. In March, two researchers sidestepped both defenses to win $10,000 each at the high-profile Pwn2Own hacking contest. Microsoft quickly stood up for the features, saying that although DEP and ASLR weren't "designed to prevent every attack forever", they remained effective in raising the attack bar.
Tuesday's second update will patch Office XP, Office 2003 and Office 2007, as well as the Visual Basic for Applications and Visual Basic for Applications SDK (software developers kit) tools.
"I'm betting that the vulnerability will be in the Office 2007 converter tool," said Storms, talking about the file conversion utility Microsoft offers that lets users open documents in the newer Office 2007 formats in older editions of the suite.
Microsoft will not issue fixes next week for flaws it has publicly acknowledged in both SharePoint 2007 and Internet Explorer. "We will not be releasing an update for [our recent Security Advisory for SharePoint] with the May bulletins," confirmed Microsoft's Bryant. "Our teams are still working on an update for that issue."
The SharePoint zero-day bug, which was disclosed last week by a Swiss security consultancy, could be used by attackers to steal confidential information from companies' SharePoint servers. Microsoft has recommended that administrators apply a workaround in lieu of a patch.
The unpatched vulnerability in IE was confirmed by Microsoft in early February after a researcher with Core Security Technologies showed how the bug could be exploited to remotely read files on a PC's local drive. The vulnerability affects all versions of the company's browser, including IE8.
"That's a low-risk bug," argued Storms, when asked why Microsoft had not yet patched it. "It's kind of an odd situation, and probably doesn't represent a big risk at the moment."