On January 12th, 2010, Microsoft has made available the first Windows security bulletin this year. Although MS10-001 comes with a maximum severity rating of Critical, fact is that only customers still running Windows 2000 Service Pack 4 are the most exposed to potential exploits targeting a Microtype Express Compressed Fonts Integer Flaw in the LZCOMP Decompressor vulnerability impacting the company OS. For all other supported Windows releases, including Windows 7 and Vista SP2, MS10-001 has a rating of Low.
At the same time, the vulnerability mentioned above has been responsibly disclosed to Microsoft, and the software giant noted no attempts to exploit the flaw and no attacks in the wild. The first Windows security update for 2010 is already available to customers via Windows Update.
“As part of its routine monthly security update cycle, Microsoft released one bulletin, MS10-001, to address a vulnerability in Windows and Windows Server,” explained Jerry Bryant, senior security program manager lead, Microsoft. “We recommend customers deploy the update as soon as possible, specifically Windows 2000 customers given the Critical rating on this platform.”
On Windows 2000, successful exploits of the vulnerability would have to involve tricking the end user in viewing content rendered in a malformed Embedded OpenType (EOT) font in client applications. In this regard, such an exploit would need Internet Explorer, Office PowerPoint, or Office Word to be on the machine, as they are apps capable of rendering EOT fonts.
Customers that are still stuck running Windows 2000 should to their best to upgrade to a more recent release of Windows as soon as possible, preferably Windows 7. Windows 2000 has only six more months of support left in it, after which customers will be completely exposed to attacks targeting future vulnerabilities. “Extended support for Windows 2000 will also be retired on July 13, 2010. At that time, we will no longer provide security or any other updated for Windows 2000,” Bryant added.