SAN FRANCISCO (Reuters) - Microsoft Corp. warned users of three new security flaws in its software on Wednesday, including one critical defect that could be exploited to allow a hacker to gain control of a computer running its Windows operating system software.

Those warnings took the total of such security bulletins issued by Microsoft this year to 30. The tally shows the company arguably has made slow progress in meeting its goal of making its software more secure, about half a year after making that a top priority.

Microsoft released 60 security bulletins for all of 2001, David Gardner, security program manager for Microsoft's Security Response Center, said on Thursday.

"The long-term goal is to get these down as low as we possibly can," he said. "It's a journey, not a destination."

In a rare companywide e-mail in January, Microsoft Chairman Bill Gates ( news - web sites) said the company's credibility with customers depended on its ability to release secure software, particularly with regard to its Web services plans.

Earlier this year, Microsoft put many of its developers and engineers through special security training and said it would scour its code looking for problems.

Although the number of security bulletins appeared to be tracking the number issued last year, that does not mean the company hasn't improved its record, according to Gardner.

"We are seeing effects" of the security initiative, he said. For example, engineers are finding that they are discovering many of the security flaws in software before they are reported by outside researchers, he said.

Although software companies try to catch and fix bugs before products are released, they typically end up having to release patches for security holes discovered afterward.

"It's gratifying to be working on a patch for something that's been reported and to find that we already" knew about it, Gardner said.

NEW CRITICAL FLAWS

Of the bulletins released this week, several are for vulnerabilities Microsoft has deemed "critical."

One critical flaw affects users of Windows NT 4.0, NT 4.0 Terminal server edition, Windows 2000 ( news - web sites), Windows XP ( news - web sites) and Windows Routing and Remote Access Server. A patch has been released that fixes a hole that could shut a system down or allow an attacker to run malicious code on a computer.

The other two critical vulnerabilities announced this week affect users of the Internet Explorer 5.01, 5.5 and 6.0 browser versions, Proxy Server 2.0 or Internet Security and Acceleration Server 2000, as well as Microsoft's instant messaging ( news - web sites) and chat programs.

A patch is being developed for the Internet Explorer flaw, which could allow an attacker to use an old Internet protocol to take control of a victim computer. The company has issued a temporary solution to protect customers in the meantime.

Microsoft has released a patch for the vulnerability in MSN Chat, MSN Messenger 4.5 and higher and Exchange Instant Messenger that could allow an attacker to run malicious code on a victim computer.

There were three other non-critical flaws announced this week, all of which have patches available. Two flaws affecting Microsoft SQL Server 2000 could allow an attacker to run code on a target computer.

A flaw affecting Windows NT 4.0 and Windows 2000 users running Internet Information Server 4.0 and IIS 5.0 could cause the software to fail or allow unwanted code to be run on the server, the company said.