Microsoft has released a security update that repairs nine software vulnerabilities, seven of which are rated 'critical'. 

The patch includes a fix for a flaw in the XMLHTTP 4.0 ActiveX Control component of the XML Core Service. Microsoft issued a security bulletin about the vulnerability and warned that attackers are actively exploiting the flaw.

The update also repairs three critical vulnerabilities in Internet Explorer 6, all of which are rated 'critical'.

Two of the flaws affect the DirectAnimation ActiveX Controls, which attackers could exploit by luring a user to a specially crafted website.

An attacker could install spyware or other malware on a system without any user interaction. Microsoft warned that the flaw is being actively exploited.

The third Internet Explorer 6 flaw could also allow for remote code execution if attackers succeed in luring users to a specially crafted website.

The vulnerability is caused by a design flaw in the way that the browser interprets HTML code with certain layout combinations. Microsoft claimed that it is not aware of any exploits.

The Sans Internet Storm Center rated the XML Core Services and Internet Explorer updates as the most urgent.

The remaining updates affect Microsoft Agent, Adobe's Flash player and the Workstation Service, all of which could allow an attacker to take control of a system. Microsoft said that it is not aware of any active exploits.

Users can update their systems through the auto update feature or by downloading the patches from the Microsoft Update website. 

The remaining two patches affect Novell's Netware technology and received severity ratings of 'moderate' and 'low'.

• Windows hit by 'extremely critical' zero-day flaw
• New IE7 bug exposes users to content injection
• Vista still requires antivirus, Microsoft stresses