After a record-breaking patch batch last month, Microsoft on Tuesday plans to release just two security bulletins as part of its May security update to address three vulnerabilities.
One of the fixes is rated “critical,” while the other garnered an “important” rating, according to Microsoft’s advanced notification released on Thursday. The critical patch will address one vulnerability in Windows while the important fix will remedy two flaws affecting Office.
Paul Henry, security and forensic analyst at vulnerability management firm Lumension, said that while this month’s patch load is much smaller than last, it will still cause a disruption for IT security teams.
“Both [bulletins] provide for remote code execution and may even require a restart,” Henry said in an email to SCMagazineUS.com on Thursday.
Microsoft also announced that, in a move to help security practitioners prioritize bulletins, it plans to revamp its exploitability index, which provides information about the likelihood that attackers will take advantage of vulnerabilities.
Starting Tuesday, Microsoft plans to release more comprehensive vulnerability assessment information and make its exploitability index “more clear and digestible,” Maarten Van Horenbeeck, senior security program manager at Microsoft’s Ecosystem Strategy Team, wrote in a blog post Thursday.
Specifically, Microsoft will begin publishing two exploitability ratings for each vulnerability, one of which will classify the risk it presents to the most recent version of the affected software or platform and another for all older versions. Previously, Microsoft provided one rating for all product versions.
This change will allow those running the latest iterations to more easily determine their risk given the extra security features built into Microsoft’s newest products.
The enhanced exploitability rating also will include an assessment of the denial-of-service risk a vulnerability poses.