Bulletins address flaws in Excel, Outlook and VML.
Microsoft has issued four bulletins addressing 10 vulnerabilities as part of its monthly patch cycle.
Three of the bulletins include updates for 'critical' vulnerabilities that could allow for remote code execution without user input.
A fourth bulletin, rated 'important', fixed vulnerabilities that could allow remote code execution but would require user permission.
Five of the vulnerabilities are for Excel. Microsoft said that elements of an Excel spreadsheet could be specially crafted to allow an attacker to remotely execute code on a system. The vulnerabilities are most serious in Excel 2000.
Also included in the update is a fix for a 'critical' vulnerability in the way Windows handles VML files that could allow for remote code execution. The vulnerability affects Windows 2000, XP, 2003 and Server 2003.
Microsoft Outlook received fixes for three vulnerabilities. Two could lead to remote code execution, while a third could be used to trigger a denial of service attack. Outlook 2007 is not affected by any of the vulnerabilities, according to Microsoft.
The remaining vulnerability is in the Brazilian Portuguese grammar checker in Office 2003 that could allow for remote code execution.
Microsoft revealed yesterday that it would be holding back four security patches after saying last week that eight bulletins would be included in the update.