Attacks using either vulnerability require users to download malicious files from a Web site or open them when they arrive as e-mailed file attachments.

Also at risk, said Symantec, is XP's and Server 2003's Windows Explorer, the operating system's file interface. Explorer will crash when attempting to open a malformed WMF image, said the Cupertino, Calif.-based company. Sehato divulged this third bug as well.

Problems with Microsoft's Office software have been endemic since early 2006, and there are no signs that hackers and researchers have emptied its well of vulnerabilities. During 2006, for example, Microsoft issued 13 security updates for Office 2000 and 11 for Office 2003. In the first two months of 2007, it released four bulletins for Office 2000 and six for Office 2003.

And last week, eEye Digital Security announced that its researchers had uncovered the known Office 2007 flaw.