Microsoft has released November's Patch Tuesday security update, which contains just two bulletins - one rated 'critical' and one 'important'.

The 'critical' flaw affects the XML Core Services software within Windows 2000, XP and Vista, as well as Server 2003 and 2008.

The flaw can be exploited with a specially-crafted web page in Internet Explorer. On systems running Core Services 3.0, the attacker could remotely execute code. If the user is running the 4.0 or 6.0 XML Core Services release, the attacker would be able to access user data.

The update is being issued for all currently supported versions of Windows and Windows Server, as well as Microsoft Office and Expression Web.

The second bulletin addresses a vulnerability in the Microsoft Server Message Block system for Windows 2000, XP, Vista, Server 2003 and Server 2008.

An attacker could target the flaw by setting up a specially-configured Server Message Block server. When the user attempts to access the server, the attacker's machine runs a 'mirror' attack which could allow an intruder to access the system with the rights of the current user.

Administrators and those with extensive privileges are at a higher risk, while user accounts with limited permissions would face less of a threat.

The risk is also considered less severe for Windows Vista and Server 2008 users who have not changed the system's default file sharing settings.

Users can obtain the November update automatically through the company's Microsoft Update and Windows Update services, as well as manually via the company's support download centre.