As previously reported, the security hole is in the company's popular Web browser on Windows 95 and 98 and allows the execution of arbitrary programs on computers when users visit a Web page or receive Outlook email. It does so by creating, overwriting, and putting content in local files.
The patch is available on Microsoft's Security Advisor Web site. Microsoft said the patch also fixes the same security hole found in IE 4.0.
The problem allows a hacker to take "full control over the user's computer," according to Georgi Guninski, a Bulgarian programmer who discovered the problem. Guninski has reported a number of bugs from various browser makers in the past.
Initially, the security hole was thought to be related to an ActiveX control that ships with IE4 and IE5 and which could have posed a security risk to customers were it used improperly by a malicious hacker, Microsoft said.
The new patch eliminates security vulnerabilities in two ActiveX controls, "Script.typlib" and "Eyedog." These controls are not related, except that both are incorrectly marked as "safe for scripting" and have been pulled from Internet Explorer, Microsoft stated in its patch summary.
ActiveX is component software technology from Microsoft that provides tools for linking desktop applications to the Web. Using a variety of programming tools--including Java, Visual Basic, and C++--developers can create interactive Web content. For instance, ActiveX technology can allow users to view Word and Excel documents directly in a browser.
ActiveX has been criticized in the past for being less secure than other component models.
Beginning next week, Microsoft said it also will post the patch on its Windows Update Web site.