Microsoft ships 'critical' security patches

Both flaws could allow attackers to take control of an affected system

Microsoft has published two security updates for its Windows operating system, both of which carry the software giant's most severe rating of 'critical'.

The first patch targets a vulnerability in the way that Windows handles embedded web fonts. Attackers could use the hole to take control of an affected system. 

Embedded web fonts allow documents to come bundled with the appropriate fonts to ensure that they are properly displayed. The technology has been built into Internet Explorer since version 4. 

The second fix plugs a security hole in several versions of Outlook and Exchange Server, which again could allow an attacker to take control of a system.

The vulnerability concerns the way that the messaging applications decode the Transport Neutral Encapsulation Format Mime attachment, Microsoft said in a security advisory. 

An attacker could exploit the flaw by crafting a special email attachment spread via a spammed message. The user still has to preview or open the message to become infected.

Security experts at eEye Digital Security discovered the Windows flaw. The Exchange and Outlook hole was found by Next Generation Security Software.

The patches are Microsoft's second security release for this month, after the vendor was forced to rush out a patch for a widely exploited security flaw in the WMF graphics format last week.

Microsoft typically issues its security updates on the second Tuesday of the month, a cycle that has become known as 'patch Tuesday'.