September Patch Tuesday Fixes 5 Vulnerabilities; Leaves One Open

Microsoft’s monthly patch cycle for September has come out, and it’s something of a mixed bag for users. While there were only 5 advisories, all of them were rated as Critical by Microsoft, because if exploited all five could be used to execute arbitrary code on user systems.
The patches fix vulnerabilities in the JScript Scripting Engine (MS09-045), the DHTML Editing Component ActiveX control (MS09-46), the Windows Media Format runtime (MS09-47), the TCP/IP stack (MS09-48), and the Wireless LAN AutoConfig service (MS09-49). The following Microsoft operating systems are covered by at least one of the said bulletins: Windows 2000, Windows XP, Server 2003, Server 2008, and Vista. The final versions of Windows 7 and Server 2008 R2 are not affected by any of these vulnerabilities.
The MS09-45 and -46 vulnerabilities could affect users that visit malicious/compromised Web sites; MS09-47 affects users who open specially crafted media files. Meanwhile, MS09-48 and -49 affects users who are directly sent malicious data. Microsoft has rated MS09-45 and -47 as 1 on their Exploitability Index, which indicates that they believe that exploit code can be consistently produced for these vulnerabilities by cybercriminals in the future.
However, Windows users are not out of the woods just yet. A separate vulnerability has been found in both Vista and Server 2008’s implementation of the (continue reading...)