Scrambling to do damage control in the wake of reports of security glitches in its Internet Explorer browser, Microsoft has posted what it calls a "comprehensive" security patch.
Users can download the single security patch from http://www.microsoft.com/ie/security/update.htm/.
The patch is designed to protect Explorer users from three potential security problems discovered last week, according to company officials. Nevertheless, Microsoft continues to maintain that customers themselves have not reported being affected by the security issues and that security problems have been discovered mainly by students experimenting with the browser.
At the Web site, Microsoft also posted a list of frequently asked questions and answers about the three security glitches: one widely labeled "Cybersnot;" the MIT variation; and a security hole discovered at the University of Maryland.
The Cybersnot and MIT security holes concern the close relationship between the Windows operating system and the browser, developed by Microsoft to allow Explorer to execute Windows files. This allows companies to share executable files for specific software routines across a company's intranet. For example, Explorer will automatically execute .ISP files embedded in a Web site (a similar issue involves .URL and .LNK files). But this potentially allows programs on a Web site to alter directories or delete files on a browser's desktop.
The University of Maryland glitch involves making a Windows Explorer window in a Web site look like a button, which can execute files when double clicked.
In addition to logging on to the Web site, customers can also call to order the fix on a floppy disk. The local number is 09-357-5576 but Microsoft New Zealand spokesperson Carol Leishman warns that the usual "nominal charge" of $20 applies "so it's probably preferable that Explorer users go to the Website for the patch - which is probably where they downloaded their copy of Explorer anyway."
The security issues can affect users of Microsoft Internet Explorer versions 2.0, 3.0 and 3.01 for the Windows 95 and Windows NT operating systems. They do not affect users of Explorer 3.0 and 3.0a for Windows 3.1 or any version of Explorer for Macintosh, according to Microsoft.
The comprehensive security patch supports all users of the English-language version of Microsoft Internet Explorer 3.0 and 3.01. Comparable security patches for international versions will be available within the next few days.
Microsoft has also created an email address - firstname.lastname@example.org - expressly for customers to report new security issues with any Microsoft product. Microsoft teams monitor the new email alias 24 hours a day and the company said they will respond immediately to issues as they occur.