Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-227: Microsoft Patch Tuesday Reminder

[MS09-045 Thru MS09-049]

September 9, 2009 15:00 GMT
PROBLEM: This bulletin lists Microsoft security bulletins and patches released for September 2009.
PLATFORM: Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008
ABSTRACT: Microsoft has released patches for critical vulnerabilities in all current versions of Windows. The bulletin contains links to the individual Microsoft Knowledge Base articles.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-227.shtml
  OTHER LINKS: Microsoft Sept. Bulletin Summary
http://www.microsoft.com/technet/security/bulletin/ms09-sep.mspx
Internet Storm Center
http://isc.sans.org/diary.html?storyid=7099

  CVE: CVE-2009-1920
CVE-2009-2519
CVE-2009-2498
CVE-2009-2499
CVE-2009-1925
CVE-2009-1926
CVE-2008-4609
CVE-2009-1132
IMPACT ASSESSMENT: This risk is high. An attacker could execute arbitrary code or create denial of service conditions depending on the vulnerability. 
[***** Start MS09-045 Thru MS09-049 *****]
Discussion:
This is a reminder that the monthly Microsoft patch cycle has been released.  Below is a summary of each vulnerability addressed.

MS09-045 - Vulnerability in Jscript Scripting Engine Could Allow Remote Code Execution (CVE-2009-1920)

This security update resolves a privately reported vulnerability in the JScript scripting engine that could allow remote code execution if a user opened a specially crafted file or visited a specially crafted Web site and invoked a malformed script. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Vulnerable: All Microsoft Operating Systems that use Jscript 5.6, 5.7, or 5.8

http://www.microsoft.com/technet/security/Bulletin/MS09-045.mspx


MS09-046 - Vulnerability in DHTML Editing Component ActiveX Control Could Allow Remote Code Execution (CVE-2009-2519)

This security update resolves a privately reported vulnerability in the DHTML Editing Component ActiveX control. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Vulnerable: Windows XP and Windows Server 2003

http://www.microsoft.com/technet/security/Bulletin/MS09-046.mspx


MS09-047 - Vulnerabilities in Windows Media Format Could Allow Remote Code Execution (CVE-2009-2498 & CVE-2009-2499)

This security update resolves two privately reported vulnerabilities in Windows Media Format. Either vulnerability could allow remote code execution if a user opened a specially crafted media file. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Vulnerable: All Windows Operating Systems
 
http://www.microsoft.com/technet/security/Bulletin/MS09-047.mspx


MS09-048 - Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (CVE-2008-4609, CVE-2009-1925, & CVE-2009-1926)

This security update resolves several privately reported vulnerabilities in Transmission Control Protocol/Internet Protocol (TCP/IP) processing. The vulnerabilities could allow remote code execution if an attacker sent specially crafted TCP/IP packets over the network to a computer with a listening service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.

Vulnerable: Windows Server 2003 & 2008, Windows Vista

http://www.microsoft.com/technet/security/Bulletin/MS09-048.mspx


MS09-049 - Vulnerability in Wireless LAN AutoConfig Service Could Allow Remote Code Execution (CVE-2009-1132)

This security update resolves a privately reported vulnerability in Wireless LAN AutoConfig Service. The vulnerability could allow remote code execution if a client or server with a wireless network interface enabled receives specially crafted wireless frames. Systems without a wireless card enabled are not at risk from this vulnerability.

Vulnerable: Windows Server 2008, Windows Vista

http://www.microsoft.com/technet/security/Bulletin/MS09-049.mspx

[***** End MS09-045 Thru MS09-049 *****]
DOE-CIRC wishes to acknowledge the contributions of Microsoft for the information contained in this bulletin.
DOE-CIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788