This critical hole appears in Microsoft's Malware Protection Engine, a part of Windows Defender and Windows Live OneCare, as well as of the Microsoft Antigen and Microsoft Forefront Security business programs. Through it, attackers could take over a vulnerable PC running the security software on any supported version of Windows, including Vista, if one of the affected programs scans a doctored PDF file sent as an e-mail attachment or downloaded from the Web.

No active attacks against this hole are known to exist, but if you haven't already received the fix through Automatic Updates, get it now.

Microsoft also patched a fistful of critical holes affecting Internet Explorer 6. Some of the flaws actually reside in Windows, but all create the risk of drive-by downloads if you browse a poisoned site with IE 6 on Windows 2000 SP4 through XP SP2. Vista is not affected, and IE 7 offers additional protection by requiring multiple confirmations to run ActiveX. All the patches have been distributed via Automatic Updates; the fixes appear to have come out before any known attacks.

The first two fixes close holes in two different ActiveX controls used by Windows (and loadable by IE) for HTML Help and Microsoft Data Access Components. The second two repair flaws involving IE's handling of COM objects.

At Microsoft's site you can get details on the COM flaws, along with info on the final hole, which can be targeted if you click a poisoned FTP (file transfer protocol) link in an e-mail or on a hacked site.

Office Attacks

Just as Microsoft thought it had fixed the last of a string of exploited holes in its Office applications, another one popped up. The fixed portions (distributed via Automatic Updates) close vulnerabilities considered critical in Word 2000 and rated important in Works and in other Word versions. The new, as-yet-unpatched bug is rated the same, and involves the usual tainted e-mail attachments or downloaded file.