Patch Tuesday: One 'Critical' Fix and an Adobe Flash Warning
Microsoft shuts down one significant vulnerability in Windows 2000 SP4, while raising the flag on another old flaw -- this time, in Adobe Flash 6.
In what turns out to be a sleepy first "Patch Tuesday" of the new decade, Microsoft only had one critical flaw to address in its latest monthly collection of bug fixes -- and that is in the oldest supported version of Windows.
However, Microsoft (NASDAQ: MSFT) also distributed a Security Advisory meant to warn users about several holes in Adobe's Flash Player 6 product when running on Windows XP.
Microsoft typically releases all, or most, of the new patches for its products on the second Tuesday of each month, thereby earning it the nickname of "Patch Tuesday."
In its latest installment, January's Patch Tuesday roundup includes a Windows bug rated critical only for Windows 2000 Service Pack 4 (SP4). For all other supported versions of Windows, including Windows 7, the impact of the vulnerability is only rated as "low" -- the least-dire level of Microsoft's four-tier severity rating scale.
This latest bug involves a Windows technology called Embedded OpenType (EOT), which provides a means for embedding compressed fonts in Web pages and in documents. If a user were to click on a booby-trapped file, a malicious attacker could take control of the user's computer.
"The flaw can be exploited through any OpenType-enabled application such as Internet Explorer, PowerPoint, Word, etc., by viewing a webpage or a document ... Users of Windows 2000 should upgrade as quickly as possible," Wolfgang Kandek, CTO of Qualys, said in an e-mail to InternetNews.com.
No attacks have been found in the wild as of yet, according to Microsoft's Security Bulletin.
Microsoft's Security Bulletin regarding the EOT font engine vulnerability and its patch are available online.
Meanwhile, Microsoft also sent out a Security Advisory -- typically, a notice of warning that the company is investigating a newly found flaw or that it is working on a patch for a vulnerability -- regarding Adobe's Flash Player 6 running on XP, with which it shipped, according to Microsoft.
As with the EOT font engine security flaw, Microsoft officials say there have been no known attacks in the wild that take advantage of the Adobe (NASDAQ: ADBE) Flash Player vulnerabilities.
Flash Player 6 contains multiple security holes that can result in complete compromise of the user's system. The fix is to install the latest release of Flash Player, which is available from Adobe.
Stuart J. Johnston is a contributing writer at InternetNews.com, the news service of the internet.com network.