More security concerns for Microsoft

Fighting a seemingly never-ending battle to secure its internet clientsoftware, Microsoft has released details of "critical" flaws in the security of its Internet Explorer (IE) and Instant Messenger (IM) software.

Not only does the company have no patch for the IE flaw, the patch it had for the IM software replaces an earlier-released one that failed to correct the problem.

Confirming an IE security flaw discovered by Finnish company Online Solutions and announced last week, Microsoft yesterday detailed a way for IE users to protect themselves from attack in the absence of a downloadable patch.

The vulnerability in IE could give a remote user access to a host computer by exploiting a buffer overflow bug in IE's gopher code.

The flaw affects client computers running Internet Explorer 5.01, 5.5 and 6.0, and for internet or intranet servers running Proxy Server 2.0 or ISA Server 2000.

Microsoft noted that older versions of its server products could be vulnerable, but it no longer supports those versions.

In lieu of a patch Microsoft has recommended a work-around that has users changing their browser's internet options settings.

As for the IM security flaws, Microsoft's new patch finishes the job that a patch released on 8 May failed to.

Microsoft's MSN Chat, MSN Messenger and Exchange Instant Messenger all have a flaw that could allow an attacker to run code on target machines via a buffer overflow in ActiveX.

According to Microsoft, the original patch did not stop the affected ActiveX component from being reinstalled on systems in all cases, leaving the potential for patched systems to become vulnerable again. The company released a new set of fixes for all three affected products.

The new security alert, patches and updated versions of the programs can be found here.