Microsoft Tuesday issued six bulletins containing 11 fixes as part of its monthly patch cycle, covering everything from its Windows operating systems to applications and the .NET framework.
Three of the fixes are listed as "critical," the most severe of vulnerabilities. One covers Microsoft Excel and would allow for remote code execution on an unsuspecting victim's PC if the user opens a specially crafted Excel file.
The second critical fix addresses vulnerabilities in implementations of Active Directory on Windows 2000 Server and Windows 2003 Server that could allow worm attacks.
The third critical fix covers three vulnerabilities in the .NET Framework that were reported by Microsoft (Quote) customers, two of which could allow for remote code execution.
Dave Marcus, security research and communications manager at McAfee Avert Labs, said the flaws could be exploited through malicious Web sites. Users need only visit the booby-trapped Web sites to trigger the code installation on their PCs.
There are two fixes listed as "important," which are significant but not as severe as a critical fix. One plugs a remote code execution hole in Microsoft Office Publisher 2007 file. The second fix, also reported to the company, addresses a remote code execution vulnerability in its Internet Information Services (IIS) 5.1 server.
The last one, rated as "moderate," fixes a hole in Windows Vista that could allow incoming unsolicited network traffic to access a network interface. An attacker could potentially gather information about the affected host.
The updates are available through Windows Update and Microsoft Update. Users with Automatic Updates activated on their computer will get the patches on the fly.