Microsoft is to release two bulletins on tomorrow's Patch Tuesday, with one rated as critical.
The first bulletin will address a remote code execution vulnerability in Windows and is rated critical, while the second addresses a remote code execution vulnerability in Office and is rated as important.
Wolfgang Kandek, CTO of Qualys, said: “Both have limited applicability. The first bulletin is rated critical for Windows, but is applicable only to Windows 2003 and 2008. The second bulletin is for Microsoft Office and is rated important and applies to Office XP, 2003, 2007 and 2004 for Mac.
“As it happened before on several occasions, users of the new versions of Office for both Windows and Mac OS X are not affected by the vulnerabilities. However, as both bulletins are for remote code execution vulnerabilities IT administrators should track them closely and address quickly.”
Microsoft has also announced that it will revamp its exploitability index so that bulletins will be rated with one of three assessments: 1 - consistent exploit code likely; 2 - inconsistent exploit code likely; and 3 - functioning exploit code unlikely.
Consistent exploit code indicates that analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit that vulnerability. Inconsistent exploit code means that analysis has shown that exploit code could be created, but an attacker would likely experience inconsistent results, when targeting the affected product.
The functioning exploit code unlikely rating indicates that analysis has shown that exploit code that functions successfully is unlikely to be released and that it might be possible for exploit code to be released that could trigger the vulnerability and cause abnormal behaviour, but it is unlikely that an attacker would be able to create an exploit that could successfully exercise the full impact of the vulnerability.
Pete Voss, senior response communications manager of Microsoft Trustworthy Computing, said: “Since October 2008, we have used the exploitability index to provide customers with valuable exploitability analysis for our security bulletins and starting on Tuesday, this information will become even more comprehensive for those who use Microsoft's latest platforms.
“The exploitability index assesses the likelihood of functional exploit code being developed for a particular vulnerability. By providing the index information month over month, we're helping customers prioritise the security updates that matter to them.
“The exploitability index will continue to provide an aggregate exploitability rating across all affected products and the improvements made to exploitability index will now offer additional information to help customers prioritise bulletins.”