Microsoft on Tuesday issued patches for critical holes in all supported versions of Windows that could allow an attacker to take over a system by executing code remotely.

The patch for Windows 2000, XP, Vista, Server 2003, and Server 2008, plugs a vulnerability (MS09-006) that could allow a remote attacker to run code remotely if a user viewed specially crafted images created with the Enhanced MetaFile (EMF) or Windows MetaFile (WMF) display formats, according to Microsoft's advisory.

Also patched on Patch Tuesday were two holes rated "important" that affected the same systems and which could be used by an attacker to masquerade as someone else in a spoofing attack.

One of the important patches, which affects all supported versions of Windows, (MS09-007) resolves a vulnerability in the Secure Channel security package in Windows. It could allow an attacker to gain access to the certificate used by the end user for authentication. Customers are affected only when the public key component of the certificate used has been accessed by some other means, Microsoft said.

The second important patch, which affects Windows 2000, Server 2003, and Server 2008, resolves two privately reported vulnerabilities and two publicly disclosed vulnerabilities in Windows NDS server and Windows WINS (Windows Internet Name Server). The holes could allow an attacker to redirect network traffic intended for systems on the Internet to the attacker's own systems, according to the advisory.