• PC World
• »Software

MICROSOFT'S RECENT plus-size patch batch includes six critical fixes, the second-largest number of the year. Most of the holes are as bad as they come, too, allowing an attacker to commandeer an unpatched PC if you so much as view a poisoned site with Internet Explorer.

As yet, no reported attacks have targeted these holes; run Windows Update or download the patches to remain current.

One flaw involves the Microsoft XML Core Services, which runs applets written in Javascript and other languages for several Windows programs. It's critical for Windows 2000 SP4, XP SP2, and Vista. Office 2003 SP2 and Office 2007 also contain the hole.

Two other flaws affect the Graphics Rendering Engine (Graphics patch), which comes into play when you view images, and Object Linking and Embedding (OLE patch) automation, which lets Office display an Excel spreadsheet in Word, for example. Windows 2000 SP4 and XP SP2 users are vulnerable; users with Office 2004 for Macs are at risk for the OLE problem as well.

Fixes four and five are for IE, to repair problems associated with its handling of ActiveX controls and CSS style sheets, and vector mark-up language.

The final critical patch is slated for Excel. Without this fix, opening a doctored Excel file in Office 2000 SP3, Office XP SP3, Office 2003 SP2, or Office 2004 for Macs would free an attacker to take over your PC.