Microsoft patches three "critical" IE security holes

Microsoft has released a patch for Internet Explorer designed to close three critical holes in the browser, including one that paved the way for the Download.Ject Trojan horse.

The software giant offered a work-around earlier this month and had promised in recent days that a comprehensive fix would be coming soon. Microsoft has also worked with law enforcement to shut down the Russian server that had been the source of malicious code.

The new patch, which is available from Microsoft's security website, closes the hole and Microsoft encouraged all IE users to update their browsers. Technically, the flaw is what's known as a cross-domain vulnerability, through which an attacker is able to cross a security boundary within the browser to deliver and execute malicious code.

Microsoft security program manager Stephen Toulouse said that the company was already working on an IE update when it became aware in late June that the vulnerability was being exploited. "Once we became aware of the specific attack on our customers, that's when we began to mobilise," Toulouse said, pointing to the company's work with law enforcement and ISPs.

The patch also addresses two other publicly known flaws in IE, both related to image processing and both rated as critical because they could allow malicious code to be run on a vulnerable system.

Toulouse said the company does not know of any attacks related to these two flaws, but he said: "We want to make sure that customers have this update so they are protected."

Security company Symantec urged web surfers to apply the patch.

"With the widespread use of Microsoft IE in both the enterprise and consumer environments, it is critical that security patches be applied immediately," Alfred Huger, senior director of Symantec Security Response, said in a statement.

Some have said that IE vulnerabilities have become so common that web surfers should consider other browsers.

Toulouse noted that the company has improved IE in the forthcoming Windows XP Service Pack 2, adding that those running that version of the operating system were not vulnerable to the attack because of changes the company made to the internal structure of the browser.

Ina Fried writes for CNET News.com