Microsoft patched two critical code execution flaws in both its Windows and Exchange products, as well as denial of service issue within Windows as part of its monthly Patch Tuesday program. Missing, however, was an expected cumulative patch for Internet Explorer.

Some security watchers believed that the Redmond company would issue another cumulative patch to patch numerous new vulnerabilities that have surfaced in the browser. Both Secunia and eEye Digital Security list several flaws in IE severe enough to pose a system compromise risk.

The last cumulative patch came in April as part of that month's Patch Tuesday release.

The first of the "critical" flaws was a fix for a code execution vulnerability within Microsoft Exchange. Discovered by Secunia researchers, a flaw exists in Exchange Calendar that could pose a system takeover risk.

"An attacker could exploit the vulnerability by constructing a specially crafted message that could potentially allow remote code execution when an Exchange Server processes an email with certain vCal or iCal properties," Microsoft said in an advisory.

The second involves two vulnerabilities within Macromedia's Flash player software. Both could be exploited by using a specially crafted SWF Flash animation file that would be embedded in a malicious Web site or e-mail. An attacker could take compete control of an infected system, according to Microsoft.

The issue affects those who are using Flash Player 6 or earlier. Adobe has provided guidance for those using Flash Player 7 or higher, the advisory reads.

Finally, a patch for a "moderate risk" flaw involving a denial of service risk was issued for Microsoft's Distributed Transaction Coordinator. An attacker could send a message to a vulnerable computer that would cause the MSDTC to stop responding.

"Note that the denial of service vulnerability would not allow an attacker to execute code or to elevate their user rights, but it could cause the affected system to stop accepting requests," Microsoft said.