Month after month, I report on the latest problems with Internet Explorer and Windows. You might think that these are the only pieces of software at risk, and they are often under constant scrutiny (see "In Brief"). But don't assume that you're covered after plugging holes in the usual suspects. This month, Microsoft Office is vulnerable--along with a host of other programs--due to three newly discovered holes.

The first flaw affects any program that uses Visual Basic for Applications--a programming language common to all Office apps, as well as Publisher, Visio, and others.

Microsoft didn't make VBA bulletproof. It has an "unchecked buffer" that, if exploited by malicious code, could let an attacker take over your PC. Buffer checkers are like the safety cutoff valves in self-serve gasoline pumps. When your tank--or in this case, a buffer meant to hold data until it's needed--is full, the pump automatically shuts off. But the VBA buffer lacks a shutoff valve. In theory, a miscreant may send you a malformed PowerPoint file, say, containing an attack macro capable of sending too much data to the buffer. If you load the file, the macro begins to execute. As the data overflows, the cracker's code moves to take over. See this Microsoft bulletin for a list of affected programs and a link to the fix.

The other two flaws affect Word (versions 97 through 2002) and Works Suite (versions 2001 through 2003). One of them involves macros. If you open a Word file containing a nasty macro, it can execute automatically and cause a lot of damage. Jump to Microsoft's site to get the patch.

The final vulnerability affects Corel WordPerfect word processor documents. If you need to be able to read WordPerfect files within Microsoft Word, you probably use Microsoft's file converter. But the converter has a hole consisting of another unchecked buffer that a miscreant could misuse by sending you an infected WordPerfect file. Again, at Microsoft's site you can download the patch and read details about other susceptible programs.