Microsoft on Tuesday issued alerts on several security flaws in Windows, the most serious of which could allow an attacker to gain control over a victim's computer.

Microsoft released six security bulletins as part of its monthly patching cycle, three of which it deems "critical." The Redmond, Washington-based firm gives that rating to any security issue that could allow a malicious Internet worm to spread without any action required on the part of the user.

One bulletin addresses three flaws in Internet Explorer. Of all the issues Microsoft offered fixes for on Tuesday, these put users at most risk of attack, said Oliver Friedrichs, senior manager at Symantec Security Response. Two other vulnerabilities, affecting the plug-and-play feature and printing in Windows, could also spell some trouble for users, he said.

An error in the way IE, Microsoft's widely used Web browser, handles JPEG images is especially alarming, according to Symantec. An attacker could commandeer a PC by crafting a malicious image and tricking the victim to look at it on, for example, a Web site or in an HTML e-mail, Microsoft said in its MS05-038 security bulletin.

"These vulnerabilities can be leveraged by malicious Web sites to install spyware, Trojan horses, bots, or other programs on an unsuspecting user's machine," Friedrichs said.

The other two IE flaws that Microsoft now has fixes for could also allow an attacker to take control of a user's computer. One relates to how the browser handles URLs related to a feature that lets users view file folders in IE. The other deals with the ability of IE to call on other parts of Windows and is similar to a problem patched last month.

While the IE issues affect all currently supported versions of the browser and Windows, Microsoft's two other "critical" security bulletins have a more limited scope. These aren't as far-reaching on Microsoft's newer operating system products.

A flaw in the plug-and-play feature in Windows could allow an anonymous attacker to remotely access and control Windows 2000 systems, Microsoft said in security bulletin MS05-039. However, such an attack is not possible on computers running Windows XP with Service Pack 2 and Windows Server 2003, the company said.

Also, a bug in the Windows print spooling service could let an attacker gain access to Windows 2000 and Windows XP with Service Pack 1 machines. The same attack on systems running Windows XP SP2 and Windows Server 2003 would only cause a crash, according to Microsoft's MS05-043 bulletin.

All current Windows versions are vulnerable to a problem with a Windows component that supports telecommunication, Microsoft said in its MS05-040 bulletin, rated "important." However, it affects primarily servers configured as telephony servers, the company said. An attacker could commandeer such a system by sending it a specially crafted request.

The two remaining bulletins are rated "moderate." One fixes a previously known security flaw that, because of a problem in the Remote Desktop Protocol, could let an attacker remotely crash computers running Windows. The other relates to Microsoft's implementation of the Kerberos authentication protocol.

RDP is a protocol that enables remote access to Windows systems. Because of a flaw in the way Windows handles remote desktop requests, an attacker could crash a PC by sending a malformed remote request, Microsoft said in bulletin MS05-041.

The Kerberos problem affects only Windows 2000 and Windows Server 2003 systems used as domain controllers. An attacker could crash a system by sending it a specially crafted message. Another flaw related to Kerberos could let an attacker spoof a domain controller and potentially access a network, but can't be exploited by anonymous users, Microsoft said in bulletin MS05-042.

Microsoft urges its customers to apply the patches as soon as possible. Users of Automatic Updates in Windows will get the patches automatically. Microsoft is not aware of any current attacks that take advantage of the problems the newly available patches fix.