The most serious flaw, rated "critical", could give an attacker full control over a user's PC.
All three vulnerabilities exist in the spreadsheet component of Office Web Components (OWC), software that provides limited Office functionality in a Web browser without the need for Office to be installed.
OWC is shipped with various Microsoft products, including Office, and is also available as a separate download.
For standard computers Microsoft rates the flaw as "critical", but it says the vulnerabilities present only a "moderate" risk to Internet and Intranet servers.
The most serious vulnerability lies in the "Host()" function of the spreadsheet OWC component.
An attacker could take any action on a PC that the user could by sending a specially crafted HTML (Hypertext Markup Language) e-mail or luring the user to a Web site containing the special HTML page, Microsoft said.
The other two vulnerabilities lie in the "LoadText()" and "Copy()/Paste()" methods of OWC. These expose files and the clipboard contents on a user's system. To read files, an attacker would have to know the location of the files and the files have to be readable through a Web browser, limiting the scope of the vulnerability, Microsoft said.
Both the OWC 2000 and OWC 2002 software is affected. It is shipped with Microsoft's BackOffice Server 2000, BizTalk Server 2000, BizTalk Server 2002, Commerce Server 2000, Commerce Server 2002, Internet Security and Acceleration Server 2000, Money 2002, Money 2003, Office 2000, Office XP, Project 2002, Project Server 2002 and Small Business Server 2000, according to Microsoft.
Patches to eliminate the vulnerabilities are available. Microsoft advises Office XP users to install Office XP Service Pack 2 instead of the general patch. Users can also download and install the updated OWC software from Microsoft's Web site instead of patching. OWC is about seven megabytes in size.
More information can be found in Microsoft's security bulletin MS-02-044 at