Microsoft warns of three new 'critical' security flaws

PC users already suffering under a wave of virus attacks this week have been warned by Microsoft of three critical security flaws in Internet Explorer and Windows that could lead them open to attack.

Microsoft released a cumulative patch for Explorer that fixes several vulnerabilities previously disclosed by the company, and it re-released an advisory for Microsoft's SQL Server software, warning that a flaw in it that actually affects most Windows users.

Stephen Toulouse, security program manager for Microsoft's security response centre, said users who don't patch their systems could leave the computers open to attack through a fake web page or an HTML email that contains the specific exploit code.

"The Internet Explorer bulletin is rated as 'critical' across all platforms except Windows 2003," he said.

A critical rating is the highest grade that Microsoft assigns to its alerts. The flaws were rated 'moderate' - the second-lowest grade - for Windows 2003, the latest version of the operating system.

On Wednesday, anti-virus firm Symantec said the MSBlast worm, which takes advantage of a month-old vulnerability in Microsoft's operating system, had infected almost 700,000 computers. A variant of the worm, MSBlast.D or Nachi, has infected more than 525,000 computers since it began to spread on Monday.

Although critical, the latest vulnerabilities are far less likely to become fodder for a worm writer because a victim would have to go to an attacker-owned web page to be attacked.

The Explorer vulnerabilities involve the fact that the software doesn't check the type of an object returned from a web server and because a flaw exists in the browser's cross-domain security model, Microsoft stated in its advisory.

The other critical vulnerability affects all supported versions of Windows and was originally thought to be a vulnerability in Microsoft's SQL Server but is, in fact, a flaw in the omnipresent Microsoft data access component (MDAC). Windows 2003 doesn't have the vulnerable software installed by default, but a user could have downloaded the programs and so could be vulnerable.

Toulouse pointed out one silver lining in the latest vulnerabilities - the flaws affected Windows 2003 to a lesser degree.

"I think it is an observable bit of progress for Trustworthy Computing. The default settings of the operating system are more secure," he said.

Robert Lemos writes for CNET News.com