Once again, time for a quick summary of this month's Microsoft Security updates...

Blog Post created by rapid7-admin on Sep 8, 2009

Originally Posted by Sheldon Malm



Five advisories, with eight vulnerabilities covered. Here’s the breakdown: 

MS09-045: Rated Critical. Potential Remote Code Execution in JScript 5.1 on Microsoft Windows 2000 SP4, JScript 5.6/5.7/5.8 on all supported Windows versions except Windows 7 and Server 2008 R2, covering 1 vulnerability: CVE-2009-1920. Important to note that 5.8 is only affected if IE8 is installed and Server 2003/2008 are safe with Enhanced Security Configuration in place. 

MS09-046: Rated Critical for XP and Windows 2000; Moderate for Server 2003. Potential Remote Code Execution in DHTML Editing Component ActiveX Control in Microsoft Windows xxx, covering 1 vulnerability: CVE-2009-2519. If this update cannot be applied right away, you can set a kill bit for IE to disable instantiation of the DHTML ActiveX control COM object. 

MS09-047: Rated Critical. Potential Remote Code Execution in Windows Media, affecting all Windows versions except for Windows 7 and Itanium based systems, covering 2 vulnerabilities: CVE-2009-2498 and CVE-2009-2499. This is the type of update that we've become used to with Microsoft's Media updates in recent years. 

MS09-048: Rated Critical. Potential Remote Code Execution and Denial of Service in TCP/IP affecting Windows 2008, Vista, Server 2003 and 2000, covering 3 vulnerabilities: CVE-2009-1926 (orphaned connections DoS), CVE-2009-4609 (zero window size DoS), and CVE-2009-1925 (timestamps code execution). 

MS09-049: Rated Critical. Potential Remote Code Execution in Wireless LAN AutoConfig Service, affecting Windows Vista and Server 2008, covering 1 vulnerability: CVE-2009-1132. This is a vulnerability in the parsing of wireless frames when received by a wireless interface. Systems without active wireless cards are not affected. 

This is a drastic departure from last month. Recommend updating all of these, with initial priority on MS09-045 (JScript) and MS09-048 (TCP/IP). 

As always, Happy patching!!