icetray - Fotolia

Patch Tuesday fixes issued for IE, Office, SharePoint Server

A Windows Server 2003 vulnerability won't receive a fix in the latest batch of Patch Tuesday updates.

May’s substantial batch of patches includes three critical updates to address remote code execution flaws.

The first cumulative security update for Internet Explorer (IE) addresses 22 vulnerabilities and is rated critical for all supported versions of IE on affected Windows clients and moderate for all supported versions of IE on affected Windows servers. The update addresses the vulnerabilities by modifying how IE handles objects in memory and adds additional permission validations to the Web browser.

The remaining critical updates address flaws in Microsoft Font Drivers and Windows Journal. The Windows Journal update is rated critical for all supported editions of Windows.

The font vulnerability has a similar attack vector to IE.

"It has similar traits with the IE vulnerability -- a user uses Internet Explorer to go to a malicious website which has malicious fonts," said Amol Sarwate, director of engineering for Qualys Inc., based in Redwood City, Calif.

The 10 important updates include two remote code execution vulnerabilities, four elevation of privileges vulnerabilities, two security feature bypass vulnerabilities, and one denial of service and information disclosure flaw.

The vulnerability in Service Control Manager within Windows Server 2003 will not be patched, Microsoft said, because it would require major architectural changes. It's seen as yet another reminder to move away from the aging platform to something new.

The first important update resolves vulnerabilities in Microsoft Office by correcting how Office handles files in memory to ensure that SharePoint Server properly sanitizes user input. Another important update addresses vulnerabilities in SharePoint Server that fixes how SharePoint Server sanitizes specially crafted page content.

With the release of Windows 10, the company will no longer roll out updates on one particular day, but as they are prepared. Customers will also be able to choose a fast ring or a slow ring depending on how quickly they want their patches released. 

"It's good for security," said Wolfgang Kandek, CTO at Qualys. "For home users this is great. For companies, we'll have to see how far the acceptance goes."

The total number of patch bulletins this year rose to 53, which is on pace to eclipse last year's 85.

Tayla Holman is the assistant site editor for and can be reached at [email protected]. Jeremy Stanley is the site editor for and can be reached at [email protected].

Dig Deeper on Windows Server troubleshooting