Microsoft plugs Windows 2000 hole, Adobe to fix Reader

[DKT27]

Microsoft plugs Windows 2000 hole, Adobe to fix Reader

Microsoft patched a critical hole in Windows 2000 on Tuesday that could allow an attacker to take control of a computer if a user viewed a maliciously crafted Embedded OpenType font in Internet Explorer, Office PowerPoint or Word.

The security bulletin is rated "low" severity for Windows 7, Vista, XP, Server 2003, and Server 2008 operating systems, according to the Microsoft advisory, which gave credit for discovering the vulnerability to a Google researcher.

According to Microsoft's Exploitability Index, the hole is rated "2" which means "inconsistent exploit code likely" while "exploitation of systems running Windows XP and later operating systems is unlikely." More technical details are available on Microsoft's Security Research and Defense blog.

However, security experts said a patch for a Zero-Day vulnerability in Adobe Reader and Acrobat that Adobe Systems was scheduled to release on Tuesday was even more important than the Microsoft bulletin. The hole was discovered in mid-December and is being exploited by attacks in the wild to deliver Trojan horse programs that install backdoor access on computers.

"Unlike most months, what the bulletin administrators should look at first is the Adobe patch when it is released later today," said Jason Miller, data and security team leader at Shavlik Technologies. "This bulletin will patch vulnerabilities that are currently in the wild affecting users."

Adobe also will be releasing a beta test version of a new automatic updater for Reader and Acrobat on Tuesday, according to ZDNet, sister publication of CNET. Reader was found to be one of the buggiest programs in 2009.

Meanwhile, Microsoft issued an advisory for holes in the Adobe Flash Player 6.0 that shipped with Windows XP and updated its Malicious Software Removal Tool to include the Win32/Rimecud worm that spreads through removable drives, Instant Messenger and peer-to-peer shared folders.

Microsoft also re-released an Active Template Library bulletin to add Windows Embedded CE 6.0 to the affected products list. This re-release affects only developers and original equipment manufacturers building applications on top of the mobile platform.

"One of the outstanding bugs that wasn't patched this month is an SMB [server Message Block] denial-of-service attack vulnerability that has been open since mid-November," said Andrew Storms, director of security operations at nCircle. "Since Microsoft has left the bug open for this long it's now clear that the threat isn't as serious as many people believed."

Finally, Oracle is slated to release its quarterly Critical Patch Update on Tuesday, containing 24 fixes for 7 products, including the application server and database engine. "The majority of the holes are remotely exploitable without authentication," notes Wolfgang Kandek, chief technology officer at Qualys.

Source - CNET