Microsoft planning two critical fixes in May update

This month's Microsoft security update is due on 11 May

Microsoft has published its advance notification for this month's Patch Tuesday update on 11 May, revealing fixes for two critical vulnerabilities in Windows and Office.

Jerry Bryant, group manager for response communications at Microsoft, said in a blog post that both issues allow for the remote execution of code.

Windows 7 and Windows Server 2008 R2 customers will be offered the Windows-related update, but Bryant claimed that "they are not vulnerable in their default configurations".

A recently uncovered problem with SharePoint will not be patched this month, as Microsoft is continuing to work on a solution.

Administrators have been advised to apply an access control list to the SharePoint Help.aspx file to prevent unauthorised users gaining access to the vulnerable components, or to disable certain features in Internet Explorer.

Alan Bentley, vice president at security firm Lumension, suggested that a SharePoint patch will follow shortly.

"It seems likely that we can expect an out-of-band patch this month for SharePoint given the critical nature of the cross-site scripting vulnerability, which threatens sensitive corporate information housed on the enterprise content management system," he said.

"On a side note, I want to remind customers of Windows 2000 and Windows XP SP2 that all support for these platforms will end after 13 July 2010. Customers should upgrade to a supported operating system or the latest service pack in order to keep receiving security updates."

Wolfgang Kandek, chief technology officer at Qualys, agreed that companies should consider replacing these systems as soon as possible.

"As support for Windows 2000 and XP SP2 is being discontinued in the summer, IT admins that still run either of these operating systems should be working on a replacement strategy," he said.