Microsoft Releases Security PatchMicrosoft Releases Security Patch

Users of Internet Explorer 5.5 and 6.0 learned late Thursday that they need to install a Microsoft security patch to fix what the company has termed critical vulnerabilities.

The patch fixes a flaw that lets hackers read, delete, and corrupt files; gain access to passwords; or drop a Trojan or virus on a victim's system, according to security Bulletin MS01-58. The flaws were discovered by Jouko Pynnonen of Oy Online Solutions Ltd. in Finland.

Microsoft's latest patch fixes three security holes. The first, a flaw in the way Content-Disposition and Content-Type header fields in HTML streams are handled, tricks the browser into thinking a file being downloaded could be safe to open, when in fact it may not be. The second flaw lets a Web-site operator launch two browser windows and use one to read files from the user's computer. With the third vulnerability, the File Download dialogue box displays file names. Without the patch, users could be tricked into downloading malicious files from a supposedly trusted source.

The patch and security bulletin can be found at www.microsoft.com/security.