14 DAY TRIAL // The July 2009 Security Release ISO Image is now available for download from Microsoft, having been offered concomitantly with the company's monthly patch cycle releases. In addition to serving each month's security bulletins through Windows Update, the software giant is also packaging the patches aimed for the supported Windows client and server operating system as an ISO image. In this context, customers can now access Windows-related security updates, including for Windows Vista Service Pack 2 and Windows XP SP3 that went live on July 14, 2009, through the DVD5 ISO image package.
“This month we are releasing six bulletins. Three of those affect Windows and are rated Critical. All three of those also have an Exploitability Index rating of ‘1’ which means that we believe that consistent exploit code in the wild is highly likely within the first 30 days,” revealed Jerry Bryant, Microsoft security program manager. “The remaining three bulletins are all rated Important and affect Microsoft Office Publisher, Microsoft ISA Server, and both Virtual PC and Virtual Server. The first two also have Exploitability Index ratings of ‘1’ so please consider this while doing your risk assessment. In total, we are addressing nine vulnerabilities this month.”
It is important to note that the ISO image contains only patches for vulnerabilities that affect Windows. In this regard, the package brings to the table MS09-028 and MS09-029 patching five Critical vulnerabilities in Microsoft DirectShow and the Embedded OpenType Font Engine that could allow for remote code execution in the eventuality of a successful exploit.
Microsoft enumerated the patched security flaws in MS09-028:
DirectX NULL Byte Overwrite Vulnerability - CVE-2009-1537 - a remote code execution vulnerability exists in the way that Microsoft DirectShow parses QuickTime media files.
DirectX Pointer Validation Vulnerability - CVE-2009-1538 - a remote code execution vulnerability exists in the way that Microsoft DirectShow validates certain values when updating a pointer.
DirectX Size Validation Vulnerability - CVE-2009-1539 - a remote code execution vulnerability exists in the way that Microsoft DirectShow validates specific fields in QuickTime media files.”
MS09-029 is designed to resolve these issues:
Embedded OpenType Font Heap Overflow Vulnerability - CVE-2009-0231 - a remote code execution vulnerability exists in the way that Microsoft Windows Embedded OpenType (EOT) font technology parses data records in specially crafted embedded fonts.
Embedded OpenType Font Integer Overflow Vulnerability - CVE-2009-0232 - a remote code execution vulnerability exists in the way that Microsoft Windows Embedded OpenType (EOT) font technology parses name tables in specially crafted embedded fonts.
July 2009 Security Release ISO Image is available for download here.