Windows 2000 flaw highlights slow Patch Tuesday

Just one of the four flaws was rated as 'critical', Microsoft's highest threat level. The remaining three were given the second-highest rating of 'important'.

The 'critical' patch affects users of Windows 2000 Service Pack 4. The vulnerability lies in the Microsoft Agent component of the operating system.

Attackers could exploit the vulnerability through a specially crafted URL, allowing them to execute code with the privileges of the current user.

Experts downplayed the risk of the vulnerability, which does not affect Windows XP or Vista.

"We do not foresee a lot of exploitation of the Windows 2000 vulnerability," said Dave Marcus, security research and communications manager for McAfee.

"Not many people will use those legacy systems to surf the web, which would be the primary attack vector."

XP and Vista users will, however, see at least one update. A flaw in Windows Services 3.0 for Windows could leave the door open for an attacker to gain elevated privileges on a target system.

Microsoft also patched a code execution vulnerability for MSN and Windows Live Messenger which could allow an attacker to execute malicious software on a user's system by way of a specially-crafted video chat invitation.

Although it could allow for remote attacks, the flaw is likely to yield little fruit for attackers and malware authors, according to Marcus.

"Microsoft forces an update, so there is little chance of actually exploiting this vulnerability," he said.

The fourth patch in the monthly update addresses a vulnerability in Microsoft's Visual Studio development tool. An attacker could remotely execute code on a target machine by convincing a user to open a specially-crafted RPT file.

Microsoft's next security update is scheduled for 9 October.