Microsoft plugs 18 security holes

Vulnerabilities range from 'critical' to 'severe'

Microsoft has issued patches for 18 software vulnerabilities as part of its monthly security update cycle, 14 of which are rated 'critical'.

Security vendor McAfee singled out three flaws as 'severe'.

A vulnerability in the Server component of Windows could allow an attacker to take control of a system. McAfee warned that attackers could exploit the hole to launch a worm outbreak.

Microsoft credited TippingPoint and security researcher HD Moore for reporting the bug.

Eight security holes in the Excel spreadsheet application also require attention. The vulnerabilities could allow attackers to take control of a system through a specially crafted Excel document.

As previously reported, attackers are actively exploiting the Excel flaw.

McAfee also highlighted three vulnerabilities in Office that could allow attackers to take control of a system.

The flaws span a series of applications including Word, Excel and Outlook and could be exploited by including a malformed string or property into a document.

Upon infection, attackers would be granted the same rights as the local user who opened the infected document. Most users today are configured to log in with full administrator rights.

Microsoft rated the flaw as 'critical' for users of Office 2000 and 'important' for Office 2003. The company credited Symantec for reporting one of the flaws.

Users are urged to update their systems using the Windows Update feature or by downloading patches from the Microsoft Security website.