| By Susan Bradley |
Systems running Windows 2000, Windows XP, or Windows Server 2003 are at risk of infection via fonts used on malicious Web sites.
No attacks exploiting this vulnerability have been recorded yet, but I expect them to begin soon — so apply this patch right away.
Embedded OpenType fonts pose remote-attack risk
Patch MS09-065 (969947) addresses several vulnerabilities in the Windows kernel. One in particular poses serious threats to Windows 2000, XP, and Server 2003. A specific type of Embedded OpenType font allows remote code execution, launching a denial-of-service attack or even taking over your system. The hole will very likely be exploited soon by malicious Web sites.
As frightening as that sounds, the good news is that this week’s patch installed without a hitch on my test XP systems. Apply this update as soon as you can to ensure you’re protected from malicious Web activity. Also, since the exploit requires that you visit a malicious site, think twice before you click a dodgy link in an e-mail or instant message.
While several other November patches are rated “Critical” by Microsoft, this is the only one of this month’s Windows updates that I rate as truly imperative.
| UPDATE 2009-11-19: In the Nov. 19 Patch Watch column, Susan describes a problem the XP kernel patch causes for systems using ATI Radeon HD 2400 and Nvidia GeForce 7050/NForce 610i video adapters.|
MS09-067 (972652) and MS09-068 (976307)
Infected Excel and Word files make the rounds
No doubt you’ve been warned before of the dangers of opening Word and Excel files attached to unexpected e-mails. MS09-067 (972652) and MS09-068 (976307) plug holes that allow a phishing attack to take control of your system when you open an infected Word or Excel file.