A fourth patch, which the company called "important," also fixes a similar vulnerability in the Windows operating system that is used on more than 90 percent of the world's computers.
The patches, released as part of Microsoft's regular monthly update, apply to versions of the Windows operating system dating back to Windows 98, and also affect Windows server systems going back to Windows NT Server 4.0.
They are aimed at preventing an unauthorized person from being able to install new programs, or to view, change or delete existing data on another person's computer.
Similar flaws resulted in the Blaster worm, which hobbled hundreds of thousands of computers worldwide last August.
A security expert predicted that the latest flaws could result in a similar attack, perhaps as soon as two weeks from now. Windows users who install the patch would not be affected.
"There's definitely going to be attacks that come from this, just because of the criticalness of the vulnerability," said Marc Maiffret of Aliso Viejo, Calif.-based eEye Digital Security, which discovered some of the flaws.
Maiffret said eEye found some of the flaws as long ago as September. He criticized Redmond-based Microsoft for not taking quicker action.
Stephen Toulouse, Microsoft security program manager, said the company would release a patch more quickly if it thought a flaw were being exploited. But in general, he said, Microsoft has tried to release patches just once a month to make it easier for customers to keep track of the downloads.
Microsoft has made security a priority since early 2002, following a series of embarrassing problems. The company is scheduled to release a free update for its Windows XP operating system later this year that is aimed solely at improving security