Microsoft Patches Windows Security Vulnerability

In the first Patch Tuesday of 2010, Microsoft releases a critical security update for Windows 2000 users. The company also updates a bulletin from 2009 and issues an advisory about vulnerabilities in Adobe Flash Player 6.

Microsoft released a single Windows security bulletin Jan. 12 for its first Patch Tuesday update of 2010.

The bulletin is rated critical for users of Windows 2000 Service Pack 4, and low for several other editions of Windows. The vulnerability at issue lies within the Microsoft Windows EOT (Embedded OpenType) Font Engine, and is due to the way it decompresses specially crafted EOT fonts. If an attacker can trick a user into viewing content rendered in EOT font, the vulnerability could be exploited to permit remote code execution, Microsoft said.

"The lone Microsoft vulnerability affects everything from Windows 2000 to Windows 7, but is only rated critical for Windows 2000," Ben Greenbaum, senior research manager at Symantec Security Response, said in a statement. "From [Windows] XP SP2 [Service Pack 2] onward, Microsoft hardened heap memory with heap memory protection strategies; this makes the vulnerability less of an issue for the later systems."

The company also re-released MS09-035, which was released in July to address vulnerabilities in the Active Template Library. The bulletin was updated to add Windows Embedded CE 6.0 to the affected products list.

"I want to be clear that this rerelease affects only developers and OEMs building applications on top of Windows Embedded CE 6.0 or producing devices that use the operating system," Microsoft Security Program Manager Jerry Bryant wrote on the Microsoft Security Response Center blog. "For end users, no action is required."

Microsoft also released a security advisory today to increase awareness regarding vulnerabilities in Adobe Flash Player 6, which shipped with XP.

"Given support ended in 2006 for Adobe Flash Player 6, Microsoft and Adobe recommend that customers uninstall this version and/or update to the latest version of Adobe's Flash Player," Bryant said. "Customers should note that Adobe addressed these vulnerabilities in newer versions of its software."

Adobe is expected to issue patches for a zero-day bug affecting Adobe Reader and Acrobat later today.