Following feedback from end users, and especially corporate customers, Microsoft's process of delivering security updates for its products evolved from an on-need approach to a strategy built on a scheduled monthly patch cycle, even though out-of-band releases have not been ruled out. An integral part of the Redmond company's security bulletin distribution is bundling up the patches affecting the Windows platform, both client and server operating systems, and rolling them up in a DVD5 ISO image file which is then served as a single item to end users via the Download Center, and not through Windows Update. This also happens on a monthly basis and after the availability of this month's Security Bulletins, the Redmond company also dropped the May 2008 Security Releases ISO Image.

"This is a relatively light month; the vendor is releasing four bulletins that cover a total of six vulnerabilities. Of those, four issues are rated "critical"; the rest are "moderate". All the critical issues are client-side and require a victim to open a malicious file to trigger. The vulnerability affecting Microsoft Jet Database Engine is the only update of the bunch. Evidence of this issue being exploited in the wild has been detected. As always, customers are advised to follow security best practices, specifically refusing to accept or open files from unknown sources", commented Rob Keith, Symantec Security Response Engineer.

But out of the four security bulletins only one is designed to patch Windows. MS08-028 features a maximum severity rating of Critical and comes to plug a hole in the Microsoft Jet Database Engine, which places users of Windows 2000 SP4, Windows XP SP2, Windows XP x64 Professional, Windows Server 2003 SP1, x64 and Windows Server 2003 SP1 for Itanium-based Systems at risk. Neither Windows XP SP3, Windows Vista SP1 nor Windows Server 2008 are affected by this vulnerability.

May 2008 Security Releases ISO Image is available for download here.