Looks like there really is only one critical patch for Windows 2000/XP/Vista – (Win7 is documented as important) and only one critical patch for Office scheduled for the May Patch Tuesday.
There is a minor inconsistency in the documentation for the Office patch. It seems they say it is critical in one location and then important in another.
Bulletin ID Maximum Severity Rating and Vulnerability Impact Restart Requirement Affected Software
Bulletin 1 Critical Remote Code Execution Requires restart Microsoft Windows
Bulletin 2 Critical Remote Code Execution May require restart Microsoft Office, Microsoft Visual Basic for Applications
Microsoft Office Suites, Systems, and Components
Bulletin Identifier Bulletin 2
Aggregate Severity Rating Important
Microsoft Office XP Microsoft Office XP Service Pack 3 (Important)
Microsoft Office 2003 Microsoft Office 2003 Service Pack 3 (Important)
2007 Microsoft Office System 2007 Microsoft Office System Service Pack 1 and 2007 Microsoft Office System Service Pack 2
The patches Microsoft released this week present a negligible exposure with the information as it is now known. The MS10-30 patch has the potential for causing the most immediate impact but it would require that the Departmental mail server be compromised or that a malicious mail server be accessed by the victim. Currently no exploits are known for this vulnerability. The largest exposure exists for someone who would check mail from a public unencrypted wifi network using an mail protocol that also is lacking encryption (such as normal pop or IMAP).
The second patch (MS10-31) is even less likely to be exploited based on the combinations of conditions that would have to exist.
In practice, Microsoft is using every odd month patch cycle (for example Jan-Mar-May) to address vulnerabilities that are less likely to be exploited and are more code tightening efforts. The even month patch cycles are progressing to be the large deployment patch months. So, next month might be a biggy.
Additional details can be found at the following URLs.
MS10-030 is a Windows-based update resolving one vulnerability affecting Outlook Express, Windows Mail and Windows Live Mail. Windows 2000, XP, Vista, Server 2003, and Server 2008 all have a severity rating of Critical. Windows 7 and Windows Server 2008 R2 are rated Important when an affected mail client is installed. However, neither has a mail client installed by default. To successfully take advantage of this vulnerability, an attacker would either have to host a malicious mail server or compromise a mail server. Or, an attacker could perform a man in the middle attack and attempt to alter responses to the client. Heap mitigations built into Windows Vista and newer operating systems make exploitation of this vulnerability unlikely. Overall, we have rated this 2 on our Exploitability Index and do not expect reliable exploit code to surface in the next 30 days.
The most likely attack vector involves an attacker attempting to intercept and modify legitimate POP3 or IMAP communications going across an untrusted network, such as a Wi-Fi hotspot in a coffee shop. However, this attack would be less likely to succeed if those POP3 or IMAP sessions used SSL, an option available in your email account configuration if your server supports it.
* Malicious email server
A less likely attack vector involves an attacker convincing or forcing a user to connect to a malicious email server. Convincing a user to change their email client configuration to connect to a malicious email server would require significant social engineering, and so it is less likely to be successful. Forcing a user to connect to a malicious email server would require the attacker to be able to redirect the user’s connection attempt from a legitimate email server to a malicious one. However, to accomplish this attack, the attacker would either need access to the user’s local area network, or have some way to poison the DNS entry for the email server.
The update addresses the vulnerability by modifying the way that Visual Basic for Applications searches for ActiveX Controls embedded in documents.
In theory there are a few ways this vulnerability could be used in a successful exploit, yet all of them require very specific properties of the program (for an example: return address that does not start with 0x00 and includes 0x2e and after turning 0x2e into 0x00 points to a code usable by an exploit). Such properties, while possible, are unlikely to be found in practice.
In our analysis, we feel that consistent exploit code resulting in arbitrary code execution is not likely to be released within the next 30 days. However, following our general guidelines, we have classified this vulnerability as exploitable with possibility for code execution.