Microsoft’s May patches fix 120 security flaws — install them soon

Microsoft’s May Patch Tuesday landed this week with fixes for 120 security flaws across Windows, Office, SharePoint, and related services. That’s a lot of ground covered, but for a business running a handful of Windows PCs and Microsoft 365, the important question is: what actually needs doing?

The bit that warrants attention

Of the 120 flaws, 31 are remote code execution vulnerabilities. That’s the kind where an attacker can take control of a machine without the user doing anything particularly daft. The three biggest risk areas are Windows DNS, Windows Netlogon on servers, and Microsoft Office and Word.

The Office one is worth flagging specifically. Attackers can trigger it by sending a malicious document, and in some cases the flaw fires just from the preview pane, before you’ve even properly opened the file. If your team regularly receives documents from external customers or suppliers, this month’s Word and Excel fixes are the ones to prioritise.

The good news: there are no zero-days being actively exploited right now. That’s the first time in nearly two years that’s been the case on Patch Tuesday. It gives you a brief window to get updates applied before attackers start reverse-engineering what the patches fix and writing exploits for unpatched machines. That window doesn’t stay open long.

What to do

The NCSC recommends applying security patches as quickly as possible, ideally automatically. For most businesses, that translates to a few specific actions:

• Let Windows Update run on PCs and servers. Don’t defer or snooze it.
• If you use central management tools, push Office and Netlogon patches first, then the rest.
• If you handle card payments or sensitive client data, make sure DNS and Netlogon are patched on any servers involved.
• Remind staff not to disable update prompts. A machine that hasn’t rebooted in three weeks probably hasn’t installed anything.

Worth keeping in mind

April’s Patch Tuesday covered 167 flaws. February had multiple zero-days. This isn’t a one-off big month; large patch volumes are becoming routine as better tools, including AI-assisted vulnerability scanning, find more flaws faster. Getting your patching process predictable and largely automatic matters more now than it did a few years ago.

For businesses across Flintshire, Denbighshire, and the rest of North Wales without a dedicated IT person on staff, this is the practical argument for managed IT support: someone monitoring Microsoft’s releases, testing patches on a couple of machines, rolling them out across your fleet, and catching the occasional case where an update breaks something. Without that running in the background, the risk sits with you.

Patching is unglamorous work, but it’s also one of the most effective things a business can do to avoid a bad day. If you’re not sure whether your machines are up to date, Dragon Digital handles patch management for local businesses across North Wales and can tell you quickly where you stand.