Microsoft announces 7 bulletins for May 2012 Patch Tuesday, closes book on MAPP data leak

Just hours after releasing the advance notification for May's Patch Tuesday release, which consists of seven bulletins, Microsoft brought some closure to its biggest security threat of the year.

RELATED: Microsoft's MAPP reportedly hacked, RDP exploits coming sooner than expected

In a post on its TechNet blog, Microsoft blamed March's information leak in the Microsoft Active Protections Program (MAPP) that led to several threats against a Remote Desktop Protocol (RDP) vulnerability on Chinese partner company Hangzhou DPTech Technologies.

"During our investigation into the disclosure of confidential data shared with our Microsoft Active Protections Program (MAPP) partners, we determined that a member of the MAPP program, Hangzhou DPTech Technologies Co., Ltd., had breached our non-disclosure agreement (NDA)," Yunsun Wee, director of Microsoft Trustworthy Computing, wrote in the blog post. "Microsoft takes breaches of our NDAs very seriously and has removed this partner from the MAPP Program."

The breach, which came at the hands of hackers in China, granted the cybercrime community access to information to attack the RDP vulnerability before Microsoft customers were given the information needed to patch it. Wee added that Microsoft "took actions to better protect our information," while senior program manager Maarten Van Horenbeeck provided more visibility into the inner workings of MAPP.

Given the relatively light load of security bulletins, Microsoft chose an opportune time to close the book on March's security scare. Three of the seven bulletins were rated critical, the most interesting of which was Bulletin 1's critical patch for Office, Qualys CTO Wolfgang Kandek says.

Threats against Office typically require the user to open a file containing a malicious program, Kandek says. Microsoft has traditionally been more prone to issue the "important" rating to threats that involve user interaction, he added, making this month's critical bulletin "kind of interesting."

Marcus Carey, security researcher at Rapid7, speculated that the Office vulnerability patched with Bulletin 1 "is an underlying issue on how it processes data." Citing the recent phishing attacks against Mac systems, Carey says threats coming through Microsoft productivity software are "becoming a recurring theme for organizations and end users because it's primed for phishing attacks."

Beyond that, the remaining two critical patches will attract the most attention, primarily because they address vulnerabilities in Windows versions XP through 7, Carey says.

"This means that all organizations and the entire user base will be affected by these critical bulletins," Carey says.

The other four bulletins were all rated important. Bulletins 4 and 5 address remote code execution vulnerabilities in Office, while bulletins 6 and 7 address elevation of privilege in Windows Vista and Windows 7.

With seven bulletins in April, Microsoft's total bulletins for 2012 rises to 35, compared to the 36 issued by the same point last year. Interestingly, Microsoft's release schedule has been far more consistent than in years past. From January through May 2012, the total number of Patch Tuesday bulletins issued in a single month has dipped as low as six and risen only as high as nine. In the same period last year, those totals ranged from two in both January and May to 12 in February and 17 in April.

This trend shows a sign of stability in Microsoft research and makes the jobs of systems administrators much easier, Kandek says.

"I'm not sure how they do this internally in terms of planning, but it seems to me going to a more steady stream is a sign of maturity, and from my systems administration perspective I prefer that than every two months getting something bigger," Kandek says. "I personally prefer a steady stream coming out. I can deal with that better, rather than things where suddenly my capacity is stretched more."

Andrew Storms, director of security operations for nCircle, also took note of Microsoft's continued move away from the "feast and famine" approach of last year. However, the number of bulletins is less relevant than the number of common vulnerabilities and exposures (CVEs), Storms says, and the security community should put more focus on Microsoft's increase in that area this year.

"Bulletin numbers don't tell the whole patch story," Storms says. "CVEs correspond to the number of bugs fixed, and this year Microsoft is on a CVE streak. With the 23 CVEs in May's patch, Microsoft's CVE count has already reached 70 for 2012. This time last year Microsoft issued just 59 CVEs."

Colin Neagle covers emerging technologies, privacy and enterprise mobility for Network World. Follow him on Twitter @ntwrkwrldneagle and keep up with the Microsoft, Cisco and Open Source community blogs. Colin's email address is

Read more about software in Network World's Software section.

Copyright © 2012 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline