Microsoft May Patches

Microsoft alerted us last week to a vulnerability in Sharepoint regarding cross-site scripting (XSS). No patch has been released for that on Tuesday, so I expect an out-of-band release in the near future.  The two bulletins this that were released this month are rated critical.  One is for VBA and Office and the other the Windows platform.

MS10-031, the VBA patch (CVE-2010-0815) poses a bit of a complex situation.   VBA is part of Office, but is also a separate product that developers can build into their applicaitons to allow users the ability to customize their applications.  The Microsoft VBA developer tool is sold through Summit Software.  If your company develops software and uses Microsoft VBA you will want to read this one carefully – otherwise just pay attention to the bits about Office and VBA. 
MS10-030 patches a vulnerability (CVE-2010-0816) in Outlook Express and Windows Mail, which ships and installs with all versions of Windows.  The “workaround” provided suggests using web-based mail instead.  For companies, this shouldn’t be an issue since you are probably using Outlook or some other email client.  You should still patch this vulnerability though, since it is installed by default, and users may also be using it to connect to personal email accounts.
Advice as always, test and deploy these patches quickly.