In sharp contrast to April's torrent of security fixes, May's monthly security-fix release was just a trickle. The lone May patch, which is rated important, fixes a vulnerability that could let attackers remotely take control of PCs running 32-bit or 64-bit versions of Windows Server 2003 and Windows XP.
"Microsoft is committed to helping customers keep their information safe and today released one security bulletin as part of the monthly schedule designed to make managing security updates more predictable and easier for customers," a Microsoft representative told me yesterday. "\[This patch\] addresses a vulnerability in Windows and has a maximum severity rating of 'important.' The vulnerability could allow an attacker to remotely execute code."
Microsoft says that this month's vulnerability affects the Microsoft Help and Support Center component in Windows 2003 and XP. By exploiting a vulnerability in the way Help and Support Center handles Host Configuration Protocol (HCP) URL validations, attackers can create Web pages that include specially encoded links that, under certain circumstances, could let the attackers gain control of user machines. According to Microsoft, HCP links are similar to standard Web URLs but use the hcp:// prefix instead of the http:// prefix.
Microsoft also rereleased two bulletins about earlier patches, MS04-014 and MS01-052, which address the Jet database engine and Windows 2000 Server Terminal Services, respectively. As usual, customers who want to stay up-to-date can use patching technologies such as Automatic Updates, Windows Update, Microsoft Software Update Services (SUS), and Microsoft Systems Management Server (SMS), or they can manually download patches from the Microsoft Web site.