Microsoft has just released its security bulletins for September. Eight vulnerabilities have been fixed, all rated critical. The 0-day affecting IIS has not been fixed.

MS09-045: vulnerability in the Windows JScript scripting engine (Ref Lexsi 12234)

MS09-046: vulnerability in the Windows DHTML editing component ActiveX control (Ref Lexsi 12233)

MS09-047: two vulnerabilities in Windows Media (Ref Lexsi 12236)

MS09-048: three vulnerabilities in the Windows TCP/IP stack (Ref Lexsi 12235). One of them, allowing an attacker to cause a remote denial of service with very little resource, was disclosed in 2008 by Outpost24 and the affected vendors have just released their patches in a coordinated manner. This patch will not be available on Windows 2000 due to the huge modifications that it would imply. But surprisingly enough, it will not be available on Windows XP either, Microsoft justifying it by the fact that no service is listening for incoming remote connections on this system by default... Another vulnerability in Vista and 2008 when parsing a TCP field can potentially allow remote code execution. This is the same kind of vulnerability as the 0-day affecting SMBv2 discovered yesterday.

MS09-049: vulnerability in the Wireless LAN AutoConfig Service (Ref Lexsi 12232). It can be remotely exploited without user interaction to execute arbitrary code, the only condition being that the user has its wireless interface up! However, it only affects Vista and 2008.

Like every month, the MSRT has been updated and now supports Bredolab and Daurso. The former is a downloader, installing other malicious software; the latter is a password stealer and can be installed by the former. It searches for connection information stored by several popular FTP clients (FileZilla, CuteFTP, etc), as well as in the Windows Protected Storage. This can be critical if the webmaster's system becomes infected, thus allowing access to the web site by the attacker, for example to add a malicious iframe.