After a record-breaking patch batch last month, Microsoft on Tuesday plans to release just two security bulletins as part of its May security update to address three vulnerabilities.
One of the fixes is rated “critical,” and the other “important”, according to Microsoft's advanced notification released on Thursday. The critical patch will address one vulnerability in Windows while the important fix will remedy two flaws affecting Office.
Paul Henry, security and forensic analyst at US-based vulnerability management firm Lumension, said that while this month's patch load is much smaller than last, it will still cause a disruption for IT security teams.
“Both [bulletins] provide for remote code execution and may even require a restart,” Henry said.
Microsoft also plans to revamp its exploitability index which provides information about the likelihood that attackers will take advantage of vulnerabilities.
Starting Tuesday, Microsoft plans to release more comprehensive vulnerability assessment information and make its exploitability index “more clear and digestible.
It will begin publishing two exploitability ratings for each vulnerability, one of which will classify the risk it presents to the most recent version of the affected software or platform and another for all older versions. Previously, Microsoft provided one rating for all product versions.
This change will allow those running the latest iterations to more easily determine their risk given the extra security features built into Microsoft's newest products.
The enhanced exploitability rating also will include an assessment of the denial-of-service risk a vulnerability poses.