Microsoft has released two charts that show the severity and exploitable index and the deployment priority. The former interesting for all users while the latter probably only for network administrators.

• Microsoft Security Bulletin MS09-045 – Critical – Vulnerability in JScript Scripting Engine Could Allow Remote Code Execution (971961) – This security update resolves a privately reported vulnerability in the JScript scripting engine that could allow remote code execution if a user opened a specially crafted file or visited a specially crafted Web site and invoked a malformed script. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• Microsoft Security Bulletin MS09-046 – Critical – Vulnerability in DHTML Editing Component ActiveX Control Could Allow Remote Code Execution (956844) – This security update resolves a privately reported vulnerability in the DHTML Editing Component ActiveX control. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• Microsoft Security Bulletin MS09-047 – Critical – Vulnerabilities in Windows Media Format Could Allow Remote Code Execution (973812) – This security update resolves two privately reported vulnerabilities in Windows Media Format. Either vulnerability could allow remote code execution if a user opened a specially crafted media file. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• Microsoft Security Bulletin MS09-048 – Critical – Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (967723) – This security update resolves several privately reported vulnerabilities in Transmission Control Protocol/Internet Protocol (TCP/IP) processing. The vulnerabilities could allow remote code execution if an attacker sent specially crafted TCP/IP packets over the network to a computer with a listening service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.
• Microsoft Security Bulletin MS09-049 – Critical – Vulnerability in Wireless LAN AutoConfig Service Could Allow Remote Code Execution (970710) – This security update resolves a privately reported vulnerability in Wireless LAN AutoConfig Service. The vulnerability could allow remote code execution if a client or server with a wireless network interface enabled receives specially crafted wireless frames. Systems without a wireless card enabled are not at risk from this vulnerability.

The patches can be download and applied by visiting the pages that are linked above or by using any of the update options that are provided by Microsoft operating systems including Windows Update, Automatic Updates or Microsoft Updates. Additional information can be found at the Microsoft Technet page.

Related posts

• Windows Security Updates September 2008 (0)
• Microsoft Security Patches for June 2009 (12)
• Block windows update from automatic updating to IE7 (1)
• Windows Vista SP1 all languages released (3)
• Windows Vista Service Pack 2 RC Download (6)

Critical ratings for Windows XP or Windows Server 2003 are usually important or moderate ratings for Windows Vista or Windows Server 2008 thanks to the increased security in those operating systems. Downloads are already available from various official sources including Automatic Updates, Windows Update or Microsoft Update.

• MS09-028 – Vulnerabilities in the Embedded OpenType Font Engine Could Allow Remote Code Execution (961371) – This security update resolves two privately reported vulnerabilities in the Microsoft Windows component, Embedded OpenType (EOT) Font Engine. The vulnerabilities could allow remote code execution. An attacker who successfully exploited either of these vulnerabilities could take complete control of an affected system remotely. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• MS09-029 – Vulnerabilities in Microsoft DirectShow Could Allow Remote Code Execution (971633) – This security update resolves one publicly disclosed vulnerability and two privately reported vulnerabilities in Microsoft DirectShow. The vulnerabilities could allow remote code execution if a user opened a specially crafted QuickTime media file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• MS09-030 – Cumulative Security Update of ActiveX Kill Bits (973346) – This security update resolves a privately reported vulnerability that is currently being exploited. The vulnerability in Microsoft Video ActiveX Control could allow remote code execution if a user views a specially crafted Web page with Internet Explorer, instantiating the ActiveX control. This ActiveX control was never intended to be instantiated in Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• MS09-031 – Vulnerability in Virtual PC and Virtual Server Could Allow Elevation of Privilege (969856) – This security update resolves a privately reported vulnerability in Microsoft Virtual PC and Microsoft Virtual Server. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected guest operating system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
• MS09-032 -Vulnerability in Microsoft ISA Server 2006 Could Cause Elevation of Privilege (970953) – This security update resolves a privately reported vulnerability in Microsoft Internet Security and Acceleration (ISA) Server 2006. The vulnerability could allow elevation of privilege if an attacker successfully impersonates an administrative user account for an ISA server that is configured for Radius One Time Password (OTP) authentication and authentication delegation with Kerberos Constrained Delegation.
• MS09-033 – Vulnerability in Microsoft Office Publisher Could Allow Remote Code Execution (969516) – This security update resolves a privately reported vulnerability in Microsoft Office Publisher that could allow remote code execution if a user opens a specially crafted Publisher file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

It is recommended to install the Microsoft Security Patches as soon as possible to close the security vulnerabilities.

Related posts

• Microsoft Patch Tuesday November 08 (0)
• Microsoft Security Patches September 2009 (6)
• Microsoft Security Patches for June 2009 (12)
• Microsoft Security Patches April 2008 (0)
• Microsoft Patch Tuesday December 08 (3)

The updates are available for pretty much every Windows operating system from Windows XP to Windows Server 2008. The easiest way to download the security updates is to use the official Windows Update server from Microsoft, Automatic Updates or direct downloads from the Microsoft Download Center.

Below are the names of the Microsoft Security Bulletin and the links to the Microsoft Security Bulletin website.

• Microsoft Security Bulletin MS08-052 – Critical – Vulnerabilities in GDI+ Could Allow Remote Code Execution (954593)
• Microsoft Security Bulletin MS08-053 – Critical – Vulnerability in Windows Media Encoder 9 Could Allow Remote Code Execution (954156)
• Microsoft Security Bulletin MS08-054 – Critical – Vulnerability in Windows Media Player Could Allow Remote Code Execution (954154)
• Microsoft Security Bulletin MS08-055 – Critical – Vulnerability in Microsoft Office Could Allow Remote Code Execution (955047)

Related posts

• Microsoft Security Updates for June 2008 (0)
• Steps to take before you install Windows XP Service Pack 3 (5)
• Project Dakota Full Windows XP Update CD (7)
• Microsoft Security Updates October 2009 Online (3)
• Microsoft Security Updates April 2009 (2)