Fixes in for Windows 2000, Adobe Reader
Security experts say Adobe's patch for a zero-day Reader vulnerability is more critical than the Windows hole.
Microsoft patched a critical hole in Windows 2000 on Tuesday that could allow an attacker to take control of a computer if a user viewed a maliciously crafted Embedded OpenType font in Internet Explorer, Office PowerPoint, or Word.
The security bulletin is rated "low" severity for Windows 7, Vista, XP, Server 2003, and Server 2008 operating systems, according to the Microsoft advisory, which gave credit for discovering the vulnerability to a Google researcher.
According to Microsoft's Exploitability Index, the hole is rated "2" which means "inconsistent exploit code likely" while "exploitation of systems running Windows XP and later operating systems is unlikely." More technical details are available on Microsoft's Security Research and Defense blog.
However, security experts said a patch for a zero-day vulnerability in Adobe Reader and Acrobat that Adobe Systems released on Tuesday was even more important than the Microsoft bulletin. The hole was discovered and is being exploited by attacks in the wild to deliver Trojan horse programs that install backdoor access on computers.
"Unlike most months, what the bulletin administrators should look at first is the Adobe patch when it is released later today," said Jason Miller, data and security team leader at Shavlik Technologies. "This bulletin will patch vulnerabilities that are currently in the wild affecting users."
Adobe also released a beta test version of a new automatic updater for Reader and Acrobat on Tuesday, according to the Adobe Reader blog. Reader was found to be programs in 2009.
Meanwhile, Microsoft also issued an advisory for holes in the Adobe Flash Player 6.0 that shipped with Windows XP and updated its Malicious Software Removal Tool to include the Win32/Rimecud worm that spreads through removable drives, Instant Messenger and peer-to-peer shared folders.
In addition, Microsoft re-released an Active Template Library bulletin to add Windows Embedded CE 6.0 to the affected products list. This re-release affects only developers and original equipment manufacturers building applications on top of the mobile platform.
"One of the outstanding bugs that wasn't patched this month is an SMB [Server Message Block] denial-of-service attack vulnerability that has been open," said Andrew Storms, director of security operations at nCircle. "Since Microsoft has left the bug open for this long it's now clear that the threat isn't as serious as many people believed."
Finally, Oracle released its quarterly Critical Patch Update on Tuesday, containing 24 fixes for seven products, including the application server and database engine. "The majority of the holes are remotely exploitable without authentication," notes Wolfgang Kandek, chief technology officer at Qualys.
Updated 5:20 p.m. PST with Adobe and Oracle releasing the updates.