Microsoft to patch patch for IE

Microsoft will release a cumulative patch for Internet Explorer at the weekend, plugging a security hole that had been used by Trojan horse program QHosts to compromise consumers' PCs.

The patch - the fortieth that Microsoft has issued this year - seals several security holes in Internet Explorer 5.01, 5.5 and 6.0 for all versions of Microsoft Windows. The giant deemed the patch critical to all versions of Windows, except Windows Server 2003, which runs with more security in its default installation.

The patch repairs a previous patch that didn't properly protect against two ‘object type’ vulnerabilities. The vulnerabilities have been exploited by Trojan horse QHosts to compromise people's PCs when they browse a website that has attack code built in.

"An attacker could seek to exploit this vulnerability by hosting a specially constructed web page," Microsoft stated in the advisory. "If the user visited this web page, Internet Explorer could fail and could allow arbitrary code to execute."

That's exactly what happened at FortuneCity.com, when an unknown attacker was able to replace a banner ad on the site with code that copied the QHosts program to any computer that viewed the page with Internet Explorer. The program doesn't attempt to spread itself, so it isn't considered a computer worm or a virus.

Microsoft has been sued by a Los Angeles resident for its handling of security patches and for allegedly putting customers at risk by not offering proper security for its Windows operating system.

Robert Lemos writes for CNET News.com.