Microsoft issued a single bulletin Tuesday, patching a critical vulnerability in Embedded OpenType Font Engine...
on Windows 2000.
The MS10-001 bulletin, which affects all versions of Windows, was given a critical rating for Windows 2000 because it repairs a vulnerability that could be exploited by an attacker to run malicious code, steal sensitive data and take complete control of a victim's machine. On newer systems, an attacker would only have the ability to crash the machine.
The software giant said an attacker can remotely target a Windows 2000 user by tricking them into viewing embedded OpenType fonts in Internet Explorer, Microsoft Office PowerPoint or Word.
"Several mitigations are in place to help prevent the likelihood of exploitation on newer systems," wrote Microsoft's Jerry Bryant on the Microsoft Security Response Center blog.
In addition, Microsoft rereleased MS09-035, the Active Template Library security bulletin pushed out as an emergency patch in July. The update adds Windows Embedded CE 6.0 as an affected product. It affects developers of products that run on top of Windows Embedded CE 6.0.
The July out-of-band update addressed flaws in the ATL that affect Internet Explorer and Visual Studio. Microsoft has been working with other software makers to address programs built inside of Visual Studio, which could be potentially vulnerable as well.
Adobe Flash Player update
Microsoft also released a security advisory Tuesday warning Windows XP users to upgrade Adobe Flash Player to the latest version. Windows XP ships with Adobe Flash Player 6, which contains multiple remote code execution vulnerabilities and should be removed.