Microsoft patches 'critical' security flaw