Microsoft said customers using Internet Explorer versions 5.5 and 6.0 should install the patch immediately. The patch, released Thursday, can be found on Microsoft's Web site.
The Redmond, Wash.-based software giant, which in recent months has patched a wide range of security holes in its Web browser and Web server software, said the patch eliminates all previously known security problems affecting the two versions of IE and plugs three new holes.
The problems were first reported Nov. 19 to Microsoft by Jouko Pynnonen at Finland-based security firm Oy Online Solutions, according to Pynnonen. By Nov. 27, Pynnonen said he informed the company of more serious flaws. Microsoft then released a patch Dec. 13 and acknowledged Pynnonen in its security bulletin for reporting the security holes.
"Since the attacker could run any program on the victim system, they can do anything a malicious program can do on a system--possibly read or destroy files (including temporary internet files and cookie files), sniff network traffic, find passwords, install backdoors...or viruses," Pynnonen said.
One problem, affecting only IE 6.0, allows an attacker to alter HTML information in a way as to trick IE to open a damaging executable file without asking the person for confirmation.
Gartner analyst John Pescatore says that as 2001 draws to a close the pace of discovery of software vulnerabilities
shows no sign of slowing.
The second security breach can involve a flaw related to how file names are displayed in the "file download" dialogue box. A hacker could misrepresent the name of a file in the dialogue window when a person tries to download a file. The attacker could fool people into accepting tainted files from a trusted Web site.
Left unpatched, computer users could face security breaches that may not become apparent for some time.
"Opening an e-mail attachment or accepting any download isn't required," Pynnonen said. "The victim user doesn't necessarily notice anything out of ordinary when reading a malicious e-mail message or visiting a malicious Web site."