Microsoft has published several security bulletins informing about seven vulnerabilities -five affecting Windows and the other two affecting Exchange-, and the security patches that fix them. Five of these security flaws have been classified as critical, one as important and the other as moderate. In general these vulnerabilities affect all Windows systems (Windows 2000, NT, XP and Server 2003) and Exchange Server 5.5 and 2000. The first of these Windows vulnerabilities lies in 'Authenticode' and could allow ActiveX controls to be downloaded and run remotely without the user's permission. The second has similar effects and causes a buffer overflow in 'ActiveX Windows Troubleshooter Control'. The third and fourth flaws allow arbitrary code to be run and affect 'Messenger Service' and 'Windows Help and Support Center', respectively. Finally, a buffer overflow in the 'ListBox' and 'ComboBox' controls allows code to be run locally. Of the two security flaws detected in Exchange, the first is the most dangerous, as it involves a buffer overflow in the SMTP service and could allow arbitrary code to be run. The second is a cross-site scripting vulnerability in Exchange Server 5.5 Outlook Web Access. In line with its new security policy -in which security patches will be released as a package once a month-, Microsoft has published all the security bulletins and patches described above in two summaries. The one referring to Windows is available at: http://www.microsoft.com/technet/security/bulletin/winoct03.asp, and the Exchange Server summary is available at: http://www.microsoft.com/technet/security/bulletin/excoct03.asp. From these addresses you can access the bulletin for each vulnerability and the patches that fix it.