Microsoft posts May security updates

Microsoft has released a security fix for Windows Server and Office and an update for the way the company handles security reports.

The May edition of the Patch Tuesday release contains just two bulletins to address three flaws in its server operating system and productivity suite.

The Windows Server bulletin is considered the higher priority of the two patches, according to Microsoft's Security Bulletin Summary for May 2011.

Rated as 'critical', the flaw could allow an attacker to target the Windows Internet Name Service component for exploitation in a remote code execution attack.

The vulnerability is being classified as a 'critical' risk for all supported versions of Windows Server 2003, Server 2008 and Server 2008 R2.

The second bulletin addresses two different security holes in PowerPoint. If a user is tricked into opening a specially crafted PowerPoint file, an attacker could exploit the vulnerabilities to perform a remote code execution attack.

Microsoft is advising users of Office XP, 2003 and 2007 to install the update, as well as Mac OS X users running Office for Mac 2004 and 2008.

Along with the security fixes, Microsoft announced a change to its exploitability index.

The company will split the index into two categories, one which ranks the risk of exploitation for the latest version of the product and a second for older versions of the product.

Microsoft said that the change will allow users with up-to-date software to better understand the real risk of a flaw.

Additionally, Microsoft plans to add a denial-of-service risk in order to keep administrators updated on the chances that a vulnerability can be used to trigger a system outage.

The moves have received an early thumbs-up from security vendors.

"This updated rating system will make it easier for IT administrators to determine their risk level, so customers should be sure to look at the new Exploitability Index in the bulletin summary to get a feel for the 'exploit potential' of each vulnerability," said Dave Marcus, head of research and communications at McAfee labs.

"Microsoft's new index simplifies the process, which will help IT administrators to prioritise which patches they tackle first."