Microsoft releases Windows OpenType Font Engine patch

Article

Microsoft releases Windows OpenType Font Engine patch

Robert Westervelt, News Editor

Microsoft issued a single bulletin Tuesday, patching a critical vulnerability in Embedded OpenType Font Engine on Windows 2000.

The MS10-001 bulletin, which affects all versions of Windows, was given a critical rating for Windows 2000 because it repairs a vulnerability that could be exploited by an attacker to run malicious code, steal sensitive data and take complete control of a victim's machine. On newer systems, an attacker would only have the ability to crash the machine.

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Microsoft updates:
Dec. - Microsoft gives Internet Explorer a major security overhaul: The final regular Microsoft update of 2009 repairs five critical vulnerabilities in IE and blocks public exploit code, which surfaced in November. 

Nov. - Microsoft patches serious Windows kernel flaws: Vulnerabilities in several Windows kernel drivers could be remotely exploited to gain complete access to a system.

Oct. - Microsoft addresses critical SMBv2 flaw, fixes record number of flaws: Microsoft addressed three critical vulnerabilities in Windows Server Message Block. Thirteen bulletins addressed a record 34 flaws.

The software giant said an attacker can remotely target a Windows 2000 user by tricking them into viewing embedded OpenType fonts in Internet Explorer, Microsoft Office PowerPoint or Word.

"Several mitigations are in place to help prevent the likelihood of exploitation on newer systems," wrote Microsoft's Jerry Bryant on the Microsoft Security Response Center blog.

In addition, Microsoft rereleased MS09-035, the Active Template Library security bulletin pushed out as an emergency patch in July. The update adds Windows Embedded CE 6.0 as an affected product. It affects developers of products that run on top of Windows Embedded CE 6.0.

The July out-of-band update addressed flaws in the ATL that affect Internet Explorer and Visual Studio. Microsoft has been working with other software makers to address programs built inside of Visual Studio, which could be potentially vulnerable as well.

Adobe Flash Player update
Microsoft also released a security advisory Tuesday warning Windows XP users to upgrade Adobe Flash Player to the latest version. Windows XP ships with Adobe Flash Player 6, which contains multiple remote code execution vulnerabilities and should be removed.


Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.
    Back to top