The patches were released on Tuesday as part of its monthly Patch Tuesday update cycle. If exploited, Microsoft said the critical flaws could allow an attacker to take complete control of a system.
The DNS Server Service flaw, which has been attacked on a limited scale in recent weeks, has been troublesome to some IT pros because DNS servers resolve domain names to the actual IP addresses of the Web servers hosting the requested sites.
Rich Linke, a Chicago-based independent security consultant and former global security manager at Kraft Foods said security pros will likely get to work on patching Exchange server and deploying the zero-day DNS server updates. Flaws in Internet Explorer and Excel also could "pose issues from a deployment standpoint," and be a sizeable push to the desktop, Linke said.
"Some of the Exchange vulnerabilities kind of look odd and it's not clear at first glance if it affects the Outlook client and the server," he said. "The DNS noise level calmed down quite a bit over last seven to ten days, so we didn't expect the update to come out of cycle."
A remote code execution vulnerability in Microsoft Exchange affects Multipurpose Internet Mail Extensions. In an advisory issued to customers, Symantec called the vulnerability one of the more critical issues of the month.
"A successful attack could completely compromise the computer hosting the vulnerable Exchange server and has the potential for impacting a large audience," Symantec said.
Microsoft also issued patches plugging four critical vulnerabilities in Internet Explorer that could be exploited by an attacker when a user visits a malicious Web site. The flaws are in IE 6 and 7 and include a Property Type Memory Corruption Vulnerability and HTML Objects Memory Corruption.
"As we reported in the recent Internet Security Threat Report, attackers are continuing to leverage browser and application vulnerabilities and social engineering tactics to gain access to computers in order to execute malicious code," Oliver Friedrichs, director, emerging technologies, Symantec Security Response said in a statement.
Critical Vulnerabilities in Microsoft Word, which included an RTF parsing, a document stream and an array overflow flaw were plugged. Microsoft Word versions 6.0 and earlier were affected. A record vulnerability and set font flaw in Microsoft Excel was also patched. The flaws in both Word and Excel could be exploited by an attacker to gain control of a computer.
"Since the Microsoft Office vulnerability is entrusted in Web applications, like Internet Explorer, these patches are critical and should also be prioritized and deployed quickly," said Paul Zimski, senior director of market and product strategy for Scottsdale, Az.-based PatchLink.
Microsoft also released a non-security, high-priority update for Windows on Windows Update (WU) and Software Update Services (SUS) and non-security, high-priority updates on Microsoft Update (MU) and Windows Server Update Services (WSUS).
For more information, Microsoft held a Webcast about the latest update.