Patch Critical Vulnerabilities in Vista SP2 and XP SP3

On July 14th, as an integral part of the monthly patch release cycle, Microsoft made available a total of six security bulletins impacting Windows platforms, Office Publisher, ISA Server, and Virtual PC and Virtual Server. Three of the patch packages affect various releases of the Windows client and server operating systems, including Windows Vista Service Pack 2 and Windows XP SP3, and are all rated Critical. The other half of the July 2009 security bulletins is considered to pose a smaller risk to end users, and was rated Important. Regardless, users should patch their systems as soon as possible, Microsoft having already started serving the security patches through Windows Update.

“Microsoft released MS09-028 and MS09-032 to help protect customers from attacks on the Video ActiveX Control and the DirectShow vulnerabilities previously addressed by Security Advisory 971778 and Security Advisory 972890, respectively. A comprehensive update for the Office Web Components vulnerability addressed in Security Advisory 973472 wasn’t ready for broad distribution in this month’s release, but Microsoft continues to encourage customers to review and apply the automatic 'Fix It' workaround, provided in Knowledge Base Article 973472,” Dave Forstrom, group manager for Trustworthy Computing Group, revealed.

In total, this month, Microsoft patched nine security vulnerabilities. The Redmond company warned that all security vulnerabilities affecting Windows had an Exploitability Index rating of “1.” This is the highest rating possible, and is designed to illustrate the company's view that consistent exploit code is likely to be made available in the wild in the next month. In such a scenario, users stand a great chance of coming under attack in the first 30 days.

Forstrom enumerated and detailed the security bulletins released on July 14: 

MS09-028 (Maximum severity of Critical): This update resolves one publicly disclosed vulnerability and two privately reported vulnerabilities in Microsoft DirectShow, which could allow remote code execution. This update received a 1 rating from Microsoft’s Exploitability Index.
MS09-029 (Maximum severity of Critical): This security update resolves two privately reported vulnerabilities in a Microsoft Windows component, the Embedded OpenType (EOT) Font Engine, which could allow remote code execution. This update received a 1 rating from Microsoft’s Exploitability Index.
MS09-030 (Maximum severity of Important): This security update resolves a privately reported vulnerability in Microsoft Office Publisher that could allow remote code execution. This update received a 1 rating from Microsoft’s Exploitability Index.
MS09-031 (Maximum severity of Important): This security update resolves a privately reported vulnerability in Microsoft Internet Security and Acceleration (ISA) Server 2006, which could allow elevation of privilege. This update received a 1 rating from Microsoft’s Exploitability Index.
MS09-032 (Maximum severity of Critical): This security update resolves a privately reported vulnerability in Microsoft Video ActiveX Control, which could allow remote code execution. This update received a 1 rating from Microsoft’s Exploitability Index.
MS09-033 (Maximum severity of Important): This security update resolves a privately reported vulnerability in Microsoft Virtual PC and Microsoft Virtual Server, which could allow an attacker to execute arbitrary code. This update received a 2 rating from Microsoft’s Exploitability Index.