Five critical updates issued by Microsoft

Microsoft has delivered five critical security updates, patching eight Windows vulnerabilities. The flaw include one in the JavaScript engine that ships with every supported version of the company's operating system.

The other vulnerabilities lie in a pair of Windows Media Player file formats; in Windows' implementation of TCP/IP, the Web's default suite of connection protocols; and in the operating system's wireless network's automatic-configuration service.

"The fog of last week has cleared, but what we're seeing today is a lot of bugs related to Internet Explorer that were labeled as Windows vulnerabilities before," said Andrew Storms, director of security operations at nCircle Network Security. Storms was referring to Microsoft's advance notification last week, when the company only divulged that it would issue updates for Windows.

Three of the updates, said Storms - MS09-045, MS09-046 and MS-09-047 - actually are better categorised as Internet Explorer (IE) issues because hackers will exploit the updates' four bugs through IE. "Those are the big problem this month," argued Storms, "because they affect IE when the user is doing the normal thing on the computer ... surfing the Internet."

MS09-045 updates Windows' JavaScript/JScript parsing engine to stymie "drive-by" attacks that hackers can craft simply by injecting malicious script in a web page.

"In most cases, a malicious attacker can easily abuse this flaw by simply coercing a Windows user to view an attacker's website," said Derek Brown, a security researcher with 3Com's TippingPoint DVLabs. TippingPoint's Zero Day Initiative - one of two bug bounty programmes in existence - was credited by Microsoft with reporting the flaw.

Brown said users should expect exploits of the JavaScript/JScript vulnerability shortly. "Due to the widespread distribution of the parsing engine and the relative ease in crafting an exploit, [users should] apply the patch immediately," he said in an email. Microsoft ranked the bug as a "1" on its accompanying exploitability index, meaning that "consistent exploit code [is] likely."

Every currently-supported version of Windows contains the flaw. Only Windows 7 and Windows Server 2008 R2 - neither of which have officially been released - are immune, said Microsoft.

But while Storms urged users to prioritise the IE-related bugs, he was afraid that advice might get lost in the attention paid to MS09-048, which updates Windows' TCP/IP stack. "I think a lot of people will focus on the TCP/IP problem, because it's been awhile since we've seen a problem with the IP stack," he said.

That wouldn't be smart. "Exploiting this will be very difficult," Storms predicted. Microsoft agreed, saying that MS09-048's three separate vulnerabilities would be tough to exploit in the next 30 days by assigning them either as a "2" (inconsistent exploit code likely) or a "3" (consistent exploit code unlikely) in its index.

It's more likely hackers will craft attacks around the two vulnerabilities in MS09-047: Microsoft rated both as "1" in its exploitability index. "Either vulnerability could allow remote code execution if a user opened a specially crafted [Windows] media file," Microsoft said in the accompanying advisory.

The two flawed file formats are Advanced Systems Format (ASF) and MPEG-1 Audio Layer 3 (MP3).

In MS09-046, Microsoft patched a single vulnerability in the DHTML Editing Component ActiveX control - used by IE to support dynamic HTML content editing - that could be triggered by a malicious site in a drive-by attack.

The fifth update, MS09-049 patches one critical vulnerability in Windows' wireless network auto-configuration service.

"Auto-config tools lend themselves to miscreants," said Storms.

As expected, Microsoft did not patch the recently-revealed vulnerability in its popular Internet Information Services (IIS) web server. Storms and other security experts said last week that it would be very unlikely that Microsoft would be able to craft and test a fix for the flaw in the time available. Microsoft, however, has promised to patch IIS at some point.

Nor was there a fix for the "Blue Screen of Death" vulnerability that a hacker publicly disclosed only late yesterday.

September's updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.