May Patch Day is live, so go grab Microsoft’s latest security updates.
According to the May summary bulletin, Microsoft released two security bulletins containing software updates for Windows and Office. One update fixes a critical code execution in the Windows WINS services. Though Windows doesn’t enable this service by default, most administrators do run it on their Windows servers. So this flaw poses a significant risk to your Windows servers.
The second update fixes various code execution flaws in PowerPoint. If you open a specially crafted PPT file, an attacker can leverage this flaw to execute code on your machine. If you have local admin rights, the attacker gains complete control. Lately, attackers have leveraged malicious Office files quite successfully to distribute malware; making this a flaw you want to fix sooner, not later
Compared to last month’s 17 security bulletins, two updates seems like a vacation. Nonetheless, you should still test and install these updates as soon as you can. Personally, I’d start with the PowerPoint update since I suspect users often get tricked into opening malicious Office files. The WINS vulnerability is also serious. However, most firewalls (like ours) block WINS by default, so the flaw primarily poses an internal risk.
We’ll post more detailed alerts about these two bulletins, shortly. — Corey Nachreiner, CISSP