Microsoft has released a security patch to fix three vulnerabilities in its Internet Explorer web browser.
The patch also includes a change in the basic authentication functionality in IE that Microsoft announced last week.
After installing the patch, the browser no longer supports handling usernames and passwords embedded in web URLs using the "@" symbol.
The security update was released outside of Microsoft's regular monthly patch cycle because of the seriousness of the issues, said Mike Reavey, a security program manager at Microsoft. Microsoft's official patch day this month is Tuesday 10 February.
One of the three patches is rated "critical" by Microsoft, while two are "important". By taking advantage of two of the security flaws, attackers can run or save arbitrary code on a user's computer. Another flaw allows an attacker to spoof a website address and potentially trick users into providing personal information, Microsoft said.
The spoofing issue received wide publicity late last year and Microsoft has been criticised for not delivering a fix sooner. The company said it is providing the security update as soon as possible after completing development and testing.
The problems affect all supported versions of Internet Explorer on all supported operating systems. Users are urged to install the patch immediately. ( www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS04-004.asp)
The Internet Explorer 6 Service Pack 1 version of the patch also works on Windows 98, Windows 98 Second Edition and Windows Millennium Edition, which normally would only get patches by request because the products are in what Microsoft calls the Extended Support phase of their lifecycle.
Joris Evers writes for IDG News Service