• PC World
• »Computers

Thank you, Microsoft. Some months I worry that I won't have much to write about. But the bug factory in Redmond almost assures me of permanent employment.

This month, Microsoft released its most recent cumulative patch for Internet Explorer versions 6.0, 5.5, and 5.01. The patch fixes six newly discovered holes, and it includes all previous security patches. But the patch had been out for less than a day before bug trackers discovered a problem.

Danish bug catcher Thor Larholm and Israeli researchers at GreyMagic Software say the fix for one of the worst bugs works only with IE 6--not with versions 5.5 or 5.01. The bad bug is called a cross-site scripting vulnerability. A hacker could craft a Web page or send an HTML e-mail message that ran as if it were in IE's Local Computer zone. Typically, this zone has lower security settings than IE's Internet zone.

If the Web link or e-mail contained nefarious code, and if you had IE's security set to the lowest setting, the devious code could take over your PC.

Microsoft claims the patch blocks all attacks, but the bug experts say that it stops such attacks only on IE 6. "We have an investigation under way and will respond appropriately," says Christopher Budd, a program manager with Microsoft's Security Response Center. That answer is Microsoft-ese for "We will issue more patches if necessary." No word yet on when or whether Microsoft will do so.

Aside from the fix for cross-scripting, the cumulative patch contains two others that Microsoft calls "critical." One flaw would allow someone to read (but not change or delete) the files on your PC. Another hole would let a malefactor send you a special cookie, either through a Web page that you click or via an HTML e-mail that you open; this evil cookie could read the contents of other cookies.

Your system is protected from e-mail attack through all three holes if you've installed the Outlook E-Mail Security Update or if you're running Outlook 2002 with the "Read as plain text" option enabled.

Jump to Microsoft's Security Bulletin for a link to the cumulative patch. While you're on this Web page, click the Technical Details link for the Outlook update download and for more details about the update.

Microsoft promises that all of these fixes will be included in the upcoming Service Pack 1 for IE 6.0, but the company hasn't said when the service pack will be available.