This Patch Tuesday fixes from Microsoft include six critical bulletins that head off potential attacks involving poisoned media files and Web pages, along with wireless and TCP/IP security holes. An under-attack FTP flaw remains unfixed.
Two patches, MS09-045 and MS09-046, fix vulnerabilites that could allow attack code hidden on a Web page to run any command on a vulnerable computer. The first shores up multiple versions of the JScript Scripting Engine and is rated critical for Windows 2000, XP, Server 2003, Vista and Server 2008 (except for Windows Server R2 for x64 and Itanium systems). The second closes a hole in the DHTML Editing Component ActiveX control, and is considered critical for Windows 2000 and XP, and moderate for Windows Server 2003. Windows Vista and Server 2008 aren't affected by the ActiveX flaw.
A third bulletin addresses a critical hole in the Windows Media Format that can hand over control of a vulnerable PC if you view a poisoned .mp3, .wma or .wmv media file, according to Symantec. The MS09-047 patch is critical for numerous combinations of the Windows Media Format Runtime or Windows Media Services on Windows 2000, XP, Server 2003, Vista and Server 2008. Microsoft's bulletin lists the full array of potential OS and software combinations, but Itanium-based systems running either Windows Server 2003 with SP2 or Server 2008 are not vulnerable.
Fourth comes a fix for potential attacks over the network using malicious TCP/IP packets. A firewall will mitigate the risk by blocking TCP/IP packets from unknown Internet sources. The MS09-048 bulletin is critical for Windows Vista and Server 2008 systems, which could be taken over by a successful attack. The flaw is only rated important for Windows Server 2003 and Windows 2000, as an attack against those OS's would likely only cause a crash. However, there is no patch available for Windows 2000 – Microsoft says a fix would require rearchitecting large parts of the OS and is “infeasible.”
The final critical patch corrects a problem with the Wireless Lan AutoConfig Service that can allow specially crafted attack packets sent over a wireless connection to take over vulnerable Windows Vista and Server 2008 machines. Other versions of Windows aren't affected, and any computer without a wireless card is of course safe as well. The MS09-049 bulletin lists more details.
IT admins should note that a previously reported security hole in the FTP component of the Microsoft Internet Information Service did not get fixed in this month's patch batch. The hole is reportedly under active attack, so on-the-ball admins should check the list of workarounds in Microsoft's technet post.