Microsoft Corp. today patched eight vulnerabilities -- three of them marked "critical" -- in Internet Explorer, Office, Exchange and SQL Server.

The most serious of the flaws is a bug in Exchange that attackers can trigger simply by sending a specially crafted message to a company's mail server.

In today's four security updates, Microsoft delivered fixes for the three critical flaws, as well as patches for five additional bugs it pegged as "important," the second-highest threat level in the company's four-step scoring system.

Several researchers put the Exchange update, MS09-003, at the top of their list because of the likely attack vector. According to Microsoft, the critical Exchange vulnerability can be exploited when a user "opens or previews a specially crafted e-mail message sent in TNEF format or when the Microsoft Exchange Server Information Store processes the specially crafted message."

http://www.computerworld.com/action/...intsrc=hm_list