April 6, 2006 12:14 PM PDT

Microsoft to slap patch on risky IE hole

As part of its monthly patching cycle, Microsoft plans on Tuesday to release five security bulletins with fixes for flaws in Windows and Office.

At least one of the alerts is deemed "critical," Microsoft's highest risk rating, the software maker said in a notice posted on its Web site on Thursday. It tags as critical any security threat that could allow a malicious Internet worm to spread without any action required on the part of the user.

One of Tuesday's bulletins will be for its Internet Explorer Web browser. It will include a comprehensive update with multiple fixes, including one for the publicly known "CreateTextRange" vulnerability, Microsoft said. It did not specify what other issues its additional Tuesday patches will repair, or how many flaws will be tackled.

Security researchers have noted several unpatched flaws in IE. The CreateTextRange bug is considered most critical by experts. The flaw is being exploited by malicious Web sites to install spyware, remote-control software and Trojan horses on vulnerable PCs, experts have said. Third parties have provided temporary fixes.

As part of its monthly patch day, Microsoft also plans to release an updated version of the Windows Malicious Software Removal Tool. The software detects and removes common malicious code placed on computers.

Additionally, this month's patches will make a change to the way IE handles Web programs called ActiveX controls. These tweaks are related to a long-running patent dispute between Microsoft and a startup backed by the University of California. The changes can affect how certain sites display in the browser.

People who need more time to adjust to the ActiveX changes can download a special patch that will disable them for two months. This "compatibility patch" is specifically designed for businesses that may have homegrown applications that use ActiveX, Microsoft has said.

Microsoft gave no further information on the upcoming bulletins, other than stating that some the Windows fixes will require restarting the computer. The Office fix may also require a restart, it added.

The Redmond, Wash., software maker offers advance notification about patches so people can get ready to install the updates.

Last month, Microsoft released two security bulletins covering six flaws in Office, most of which were related to Excel, and one flaw in Windows. The Office bulletin was tagged critical, while Microsoft deemed the Windows problem "important," one notch lower on its four-tiered rating scale.

Microsoft said it will host a Webcast about the new fixes on Wednesday at 11 a.m. PDT.

See more CNET content tagged:
bulletin, flaw, fix, patch management, Microsoft Office


Join the conversation!
Add your comment
Typical MS
Why act like a responsible company? If open source can release a solid fix in a day or two(sometimes less), why does it take weeks or months for MS to fix anything?
Posted by Bill Dautrive (1179 comments )
Reply Link Flag
Once of the reasons is that Microsoft has to validate, to the best of their ability, the patch to make sure it will not have a negative impact on their customers. MS has custormers from Mom and Pop to Major Enterprises.
Slapping a patch in and not validating that it will not break some customers spplications takes a while.
Posted by Sboston (498 comments )
Link Flag
Message has been deleted.
Posted by anarchyreigns (299 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.