Microsoft issues flaw fixes for Outlook and Windows

Microsoft on Tuesday released fixes for two "critical" security flaws, one in Windows and another in the Outlook email client and Exchange mail server.

Both vulnerabilities could allow an attacker to gain complete control over vulnerable PCs or servers running the Microsoft software, the company said in two security bulletins, released as part of its monthly patching cycle.

The Windows problem lies in the way the software processes web fonts and affects all current versions of the operating system. A vulnerable Windows system could be compromised if the user opened an email or visited a website containing a malicious font, Microsoft said in security bulletin MS06-002.

In security bulletin MS06-003, Microsoft said Outlook and Exchange are flawed in the way the applications decode certain email messages. An attacker could craft a malicious email message, and vulnerable systems would be compromised when the message is processed by Exchange or viewed by the Outlook user.

Both vulnerabilities were reported privately to Microsoft, which has not discovered any current cyber attacks that use the flaws as a conduit. Patches to repair the bugs are available via the online bulletins and the company urges people to install them as soon as possible.

Tuesday is Microsoft's first official Patch Tuesday of 2006. However, the company broke its monthly patching program last week to deliver a fix for another serious flaw in Windows. That bug, related to the way the operating system renders Windows Meta File images, is being used in exploits, experts have said.

On Monday, two new Windows image problems were reported on a popular email list. Microsoft acknowledged those issues but said they are performance problems, not security vulnerabilities.

The new Exchange and Outlook vulnerability affects all current versions of the software except Exchange 2003 with Service Pack 1 or Service Pack 2, Microsoft said. The issue is specific to the processing of mail that uses the Transport Neutral Encapsulation Format protocol, used in sending messages in Rich Text Format. For temporary protection, Exchange users could block TNEF, Microsoft suggested.

The Windows problem was discovered and reported by eEye Digital Security, and the Exchange and Outlook flaw was found by Next Generation Security Software.

Joris Evers writes for CNET News.com