The first patch takes care of a problem with IE's ImportExportFavorites feature, which lets users tranfer lists of frequently visited Web addresses. The bug lets a malicious Web site operator run executable code on the computer of someone who visits that Web site.
"The net result is that a malicious Web site operator potentially could take any action on the computer that the user would be capable of taking," Microsoft warned in a security alert earlier this month.
Microsoft's patch eliminates the problem, the company said today. Versions 4.01 and 5.0 of IE are at risk. The patch also fixes a related problem involving ActiveX, Microsoft's technology for bringing interactive scripts and controls to Web pages.
ActiveX has long been a security headache for Microsoft. Critics of the technology fault its "trust-based" security model, in which signatures let users choose whether to download an ActiveX control. With this system, users are expected to judge that controls signed by well-known companies like Microsoft are less likely to be maliciously designed than those signed by unknown entities.
In the latest discovery, Microsoft identified eight ActiveX controls it said were "incorrectly marked as 'safe for scripting,'" a designation that assures users that they can download the controls without posing any security risk to their own computers. The controls could be manipulated for malicious ends, however, Microsoft said.
The controls in question are Kodak Image Edit: Wang Imaging; Kodak Image Annotation: Wang Imaging; Kodak Image Scan: Wang Imaging; Kodak Thumbnail Image: Wang Imaging; Wang Image Admin: Wang Imaging; HHOpen: HTML help files; Registration Wizard: Internet Explorer Product Registration; and IE Active Setup: Internet Explorer Setup.
Microsoft credited Bulgarian bug hunter Georgi Guninski with discovering the so-called ImportExportFavorites bug. Richard Smith of Pharlap Software and Australian bug hunter Shane Hird were recognized for discovering the ActiveX problems.