Microsoft has released five new security bulletins in the September version of Patch Tuesday. All bulletins are rated with a Critical severity rating. This month, Windows 7 is not an affected product for the bulletins and vulnerabilities. All bulletins are not publicly known at this time.
The most important bulletin to install first is MS09-048. This bulletin resolves three vulnerabilities in the networking component TCP/IP. In two of the vulnerabilities, attacks could cause a Denial of Service on target machines by sending specially crafted network packets that will cause the system to freeze or automatically restart. The other vulnerability addressed could allow attacks to take control of a target Windows Vista or Windows 2008 system by also sending specially crafted packets. Administrators should patch their servers as soon as possible for this vulnerability as it could lead to network wide outages.
Interestingly enough, Windows 2000 Service Pack 4 is affected by this security bulletin but Microsoft is not issuing a patch for the vulnerability. Microsoft is stating that creating a patch to address the vulnerability is “infeasible to build.” With this in mind, a vulnerability that affects Windows 2000 is about to be made known and administrators cannot simply patch their machines.
MS09-045, MS09-046, MS09-047 and MS09-049 can lead to remote code execution. Each of these bulletins are likely to affect the desktop.
MS09-049 affects Window Vista and Windows 2008 machines that have a Wireless card. Specially crafted wireless frames can be sent to the target system through today’s war dialing routines to take complete control of the machine. If a machine does not have a wireless card, it cannot be attack through this vulnerability.
MS09-045 (jscript) and MS09-046 (DHTML) are vulnerabilities that can be taken advantage of through specially crafted web pages. If an unpatched system visits a specially crafted web page, an attacker can take complete control of the system.
MS09-047 addresses two vulnerabilities in Windows Media Format. If an attacker can get an unpatched system to visit a specially crafted web page, or play a specially crafted media file, he or she can gain complete control of a target system.
The security advisory 975191 was not patched during this patch Tuesday cycle. The advisory has been updated by Microsoft stating that vulnerability is being used in limited attacks. Administrators should look at addressing this vulnerability through work-arounds provided by Microsoft until a security patch becomes available.