In its Tuesday-released November patch update comprising six bulletins, Microsoft has addressed 15 vulnerabilities in Windows, Windows Server, and Office, including a serious flaw that makes allowances for drive-by-download attacks.

Apparently the urgent of the six bulletins, the MS09-065 bulletin, plugs the hole that facilitated attackers in gaining control of a vulnerable system, if a user views a specially crafted Embedded OpenType font. The patch has been given a 'critical' for Windows 2000, XP and Server 2003; and 'important' rating for Vista and Server 2008.

Noting about the significance of the MS09-065 patch, enterprise security auditing company nCircle has stated that attackers could initiate an attack by either viewing a malicious Web site or opening a poisoned Office document. Security software maker Symantec added that proof-of-concept code has already been disclosed to the public.

Among the other two critical patches released this month, one involves the Web Services on Devices Application Programming Interface (WSDAPI), and has been given 'critical' rating for Vista and Server 2008; while the other is rated 'critical' for Windows 2000 systems that run the License Logging Server, wherein the hackers compromise the vulnerable system via a "specially crafted network message."