Microsoft on Monday released an oft-delayed cumulative patch to fix several known security holes in its flagship Internet Explorer (IE) browser.

The software giant issued the IE fix outside of its scheduled release cycle because of the "critical" nature of the patch and because proof-of-concept exploits have been circulating on several mailing lists.

Microsoft said the IE update would eliminate three vulnerabilities, including a URL-spoofing flaw being exploited by scammers, a file download flaw that could lead to harmful code execution and a bug in the cross-domain security model of IE that could lead to system takeover.

Details of the URL-spoofing flaw have been circulating for several months and, just last week, Microsoft explained that Monday's IE patch could return error messages on Web sites that use clear text to authenticate user names and passwords.

The patch, which is applicable for users of IE versions 5.01, 5.5 and 6.0, also fixes a vulnerability that involves performing a drag-and-drop operation with function pointers during dynamic HTML events in the browser.

"This vulnerability could allow a file to be saved in a target location on the user's system if the user clicked a link. No dialog box would request that the user approve this download," Microsoft said, confirming an earlier warning it could be exploited to trick users into downloading malicious files.