The software giant dubbed "critical" a buffer overflow in its remote access service (RAS) software, which is a native service in Windows NT 4.0, Windows 2000 and Windows XP. The security hole could allow an attacker to run any code, the advisory stated.
"An attacker who successfully exploited this vulnerability could gain complete control over the machine, thereby gaining the ability to take any desired action," said the advisory.
Another release detailed two flaws in the way Microsoft SQL server handled XML and a third release warned that Web servers with HTR scripting turned on are also in danger. HTR is an older, obsolete type of scripting now replaced by active server pages.
In addition, Finnish security company Online Solutions uncovered a vulnerability May 20 that exploits Gopher, an all-but-obsolete Internet protocol for fetching data from remote computers and alerted the public last week.
But the threat is much worse than first revealed by Online Solutions. The hole also exists in some Microsoft server products. Microsoft deemed the threat critical for client computers running Internet Explorer 5.01, 5.5 and 6.0 and for Internet or intranet servers running Proxy Server 2.0 or ISA Server 2000.
The new advisors are the latest of several flaws Microsoft has identified in recent months, despite a high-profile campaign by the company to stamp out such problems.
In January, Chairman Bill Gates signaled a new direction for the company in an e-mail to the entire company, asking employees to help make Microsoft's software "trustworthy."
However, the three advisories bring Microsoft's total for the year to 30--detailing nearly 40 flaws--and underscore that the company, which is trying to lockdown its software and exterminate the critical bugs, still has its work cut out for it.
