14 DAY TRIAL // September is quite a slow month for the Redmond company. Microsoft only patched a total of four vulnerabilities impacting its products, establishing a new low record for 2007 in terms of the volume of security flaws. Windows, Visual Studio and the MSN and Windows Live Messenger are the software items affected by this month's security bulletin releases. Microsoft issued a single update with a maximum severity rating of Critical associated with a vulnerability in Microsoft Windows Agent. The remaining three patches plug only Important security flaws in Windows Services for UNIX 3.0 and Windows Services for UNIX 3.5 on Windows 2000, Windows Server 2003 x64 Edition, the Subsystem for UNIX-based Applications on x86 and x64 Windows Vista, Visual Studio .NET 2002, 2003, 2005 and MSN Messenger 6.2, 7.0, 7.5 and 8.0.
Still, while Microsoft made a total of four security patches available for download, only two of the updates made it into the September 2007 Security Releases ISO Image. This is because the Redmond company only provides the patches for Windows released via Windows Update on September 11th, 2007. Microsoft Security Bulletin MS07-053 - Important Vulnerability in Windows Services for UNIX Could Allow Elevation of Privilege (939778) and Microsoft Security Bulletin MS07-051 - Critical Vulnerability in Microsoft Agent Could Allow Remote Code Execution (938827) are the two bulletins included in the DVD5 ISO image. Microsoft Security Bulletin MS07-040 - a Critical patch for flaws in .NET Framework is also provided with the release.
"A remote code execution vulnerability exists in Microsoft Agent in the way that it handles certain specially crafted URLs. The vulnerability could allow an attacker to remotely execute code on the affected system. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights," Microsoft revealed about MS07-051, adding that MS07-053 deals with "a vulnerability in Windows Services for UNIX 3.0, Windows Services for UNIX 3.5, and Subsystem for UNIX-based Applications where running certain setuid binary files could allow an attacker to gain elevation of privilege. An attacker who successfully exploited this vulnerability could gain elevation of privilege."
You can grab the September 2007 Security Releases ISO Image from here, and access the additional Microsoft security bulletins for this month via this link.