Three dire Windows holes patched

Microsoft on Tuesday released seven security updates with patches for 11 security vulnerabilities, most of which affect the Windows operating system.

The software maker originally planned to release only six security bulletins as part of its monthly patch cycle. However, it added a seventh to deliver a fix for two flaws that affect the Windows Media Format, including one zero-day bug, a company representative said.

Microsoft also provided a patch for a zero-day vulnerability that affects Visual Studio 2005 developer tools. This security hole was disclosed last month and, contrary to the Windows Media issue, has already been used in cyber attacks, the company said.

However, there were no fixes Tuesday for a pair of known flaws in Microsoft Word that are also being exploited in malicious software.

Amol Sarwate, a research manager at vulnerability management company Qualys, said: "While we see Microsoft making an attempt to patch zero-day vulnerabilities, they are still struggling to keep up with the continuous influx of zero-day attacks. Microsoft is making a genuine effort. However, users are still exposed to attacks via the unpatched Word vulnerabilities."

The Windows Media issues are addressed in bulletin MS06-078, one of three "critical" security updates published by Microsoft on this 'Patch Tuesday'. The other high-risk vulnerabilities lie in Internet Explorer and in Visual Studio 2005.

Joris Evers writes for CNET News.com.