Vista, XP spared from most dangerous vulnerabilities.
Microsoft issued four security fixes in the September installment of its monthly security bulletin program, also known as 'Patch Tuesday'.
Just one of the four flaws was rated as critical, Microsoft's highest threat level. The remaining three patches were all given the second-highest rating of important.
The critical patch only affects users of Windows 2000 Service Pack 4. The vulnerability lies in the Microsoft Agent component of the operating system.
Attackers could exploit the vulernability through a specially crafted URL, allowing them to execute code with the privileges of the current user.
Experts downplayed the risk of the vulnerability, which does not affect Windows XP or Vista.
"We don't foresee a lot of exploitation of the Windows 2000 vulnerability," said Dave Marcus, security research and communications manager for McAfee.
"Not many people will use those legacy systems to surf the Web, which would be the primary attack vector."
XP and Vista users will, however, see at least one update. A flaw in Windows Services 3.0 for Windows could leave the door open for an attacker to gain elevated privileges on a target system.
Microsoft also patched a code execution vulnerability for MSN and Windows Live Messenger. That vulnerability could allow an attacker to execute malicious software on a user's system by way of a specially-crafted video chat invitation.
Though it could allow for remote attacks, the flaw will likely yield little fruit for attackers and malware authors, said Marcus.
"Microsoft forces an update, so there is little chance of actually exploiting this vulnerability."
The fourth patch in the monthly update addresses a vulnerability in Microsoft's Visual Studio development tool. An attacker could remotely execute code on a target machine by convincing a user to open a specially-crafted RPT file.
Microsoft's next security update is scheduled for 9 October.