The flaw is in the runtime of Visual Basic and other development tools.
"If you develop an application that uses [those DLLs] then that application transmits those vulnerable DLLs to the client system," Kandek says. He says independent software vendors will have to patch their applications.
Paul Henry, security and forensic analyst at Lumension, says as a whole the group of patches represents "some serious issues that need to be patched immediately. It is incredibly difficult to prioritize them."
Thirteen of the 28 vulnerabilities were given the top rating on Microsoft's new "exploitability index." A ranking of "1" means that the vulnerability is an attractive target for hackers because they can create exploit code that could consistently exploit the vulnerability.
Microsoft Tuesday also released a to notify users that it is investigating reports of vulnerability in the WordPad Text Converter for Word 97 files on Windows 2000 SP4, XP SP2, Windows Server 2003 SP1, and Windows Server 2003 SP2.