Microsoft Sews Patch for IE

But security researchers call fix for six critical vulnerabilities incomplete.

Microsoft Corp. last week released a hefty cumulative patch to address a number of security problems in Internet Explorer, including six new vulnerabilities rated by the software maker as critical.

But a group of security researchers said Microsofts fix is incomplete and doesnt resolve a key problem.

The patch contains fixes for all previously discovered flaws in IE 5.01, 5.5 and 6.0, according to Microsoft officials in Redmond, Wash.

Among the security holes revealed last week is a flaw in the way that an HTML object supports Cascading Style Sheets. An attacker could create a Web page or HTML mail message to exploit the vulnerability. However, he would need to know the exact name and location of the file he wanted to read.

Another similar flaw allows an attacker to build a cookie that would expose information contained in other cookies stored on a users machine. But, again, the attacker would need to know the exact name of the target cookie.

There is also a cross-site scripting flaw in one of the local HTML files that ships with IE. A successful exploit of the vulnerability would give an attacker the ability to execute scripts on the users machine in the Local Computer zone, which has fewer restrictions than other IE zones.

The patch for the cross-site scripting vulnerability, however, addresses only part of the problem and only in IE 6.0, leaving Version 5.01 and Version 5.5 still vulnerable, according to officials of GreyMagic Software, a security research company in Jerusalem.

"Microsoft did not understand the problem. They only patched a symptom of this vulnerability, not its root cause," GreyMagic said in a posting on the BugTraq mailing list.

Microsoft security officials defended their actions, saying the current patch is good and the issues that GreyMagic raised are new to them.

"We did a full investigation with all of the information we had available, and we didnt find that 5.01 or 5.5 were vulnerable," said Christopher Budd, security program manager at Microsoft.

The other new vulnerabilities are variants of the content disposition problem in IE for which Microsoft issued a patch last year.