Microsoft has released three critical patches and one update with a "moderate" rating as part of its monthly "Patch Tuesday" cycle.
As detailed in the Microsoft security bulletin summary for May 2008, one of the critical patches addresses vulnerabilities in Word that could allow for remote code execution. The vulnerabilities, including object parsing and cascading style sheet flaws, lie in several versions of Office, including XP Service Pack 3 (SP3). A full list of affected versions is available in Microsoft security bulletin MS08-026.
The second patch is directed at a Microsoft Publisher object handler validation flaw in versions of Office, including XP SP3, as detailed in Microsoft security bulletin MS08-027.
The third critical patch addresses a stack-overflow vulnerability in Microsoft Jet Database Engine that could allow remote code execution. "An attacker who successfully exploited this vulnerability could take complete control of an affected system," warned Microsoft. Versions of Windows including 2000 SP4, XP SP2 and Windows Server 2003 are affected. Details can be found in Microsoft security bulletin MS08-028.
The "moderate" patch addresses vulnerabilities in Microsoft's Malware Protection Engine that could allow a successful denial-of-service attack.
Patch-management strategies can be found on Microsoft's website. On Tuesday, Microsoft also released an updated version of its Windows Malicious Software Removal Tool (MSRT) on Windows Update, Microsoft Update, Windows Server Update Services and Download Center.
Microsoft hosted a webcast on Wednesday to address customer concerns.