Microsoft has released a patch that fixes 28 flaws in its various products, including six critical problems.

The "critical" bulletins affect Windows GDI, Word, Excel, Internet Explorer and Windows Search. The "important" updates affect SharePoint and Windows Media. All Microsoft security patches for both Windows and Office software are available via Microsoft Update.

The first flaw fixes vulnerabilities in Visual Basic 6.0 Runtime Extended Files (ActiveX Controls) which allows remote code execution if a user visits a poisoned Webpage. It affects Visual Studio .Net 2002, Visual Studio .Net 2003, Visual FoxPro 8.0, Visual FoxPro 9.0, Office Project 2003, and Office Project 2007.

The second flaw in GDI effects Windows 2000, XP, Server 2003, Vista, and Server 2008. Exploitation of this vulnerability allows remote code execution if a user opens a specially crafted WMF image file.

The third critical exploit is in Word 2000, Office Outlook 2007, Word 2002, 2003, 2007, Office Compatibility Pack, Word Viewer 2003, Works 8, Office 2004 for Mac, Office 2008 for Mac, and Open XML File Format Converter for Mac. This patch fixes eight privately reported vulnerabilities in Word and Outlook that could allow remote code execution if a user opens a specially crafted Word or Rich Text Format (RTF) file.

The fourth patch is a cumulative Security Update for Internet Explorer. It is critical for Internet Explorer 5.01 and Internet Explorer 6 Service Pack 1, running on Windows 2000; Internet Explorer 6 running on Windows XP; and Internet Explorer 7. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer.

The fifth critical patches are in Excel, which could allow remote code execution.

The last critical patch is for Vista and Windows Server 2008 and fixes a problem that allows remote code execution if a user opens and saves a specially crafted saved-search file within Windows Explorer or if a user clicks a specially crafted search URL.