Microsoft has released five patches, three of which it deemed critical, including a highly exploited hole in Internet Explorer.

Thanking more than a half-dozen security researchers for pointing out a hole in its Internet Explorer application, Microsoft released a cumulative patch it said fixes the CreateTextRange vulnerability.

First reported by Copenhangen, Denmark-based Secunia Research, said the flaw could let malicious hackers turn systems using IE 6 into "spam zombies", as another security researcher characterized the threat.

Today's cumulative patch "resolves several vulnerabilities in Internet Explorer that could allow remote code execution," according to Microsoft. The software maker urged IE users to immediately apply the patch.

Prior to the cumulative security fix, several third-party patches were released to combat the vulnerability.

The security bulletin also includes a compatibility patch giving enterprise customers a 60-day reprieve to test Web applications before changes to ActiveX behavior is made permanent.

The patch affects users of IE 5.01 and IE 6 running Windows XP, Windows Server 2003 and Windows 2003.

Two of today's five security patches involve IE, due mainly to IE's tight integration with other Windows components, Marc Maifret, co-founder of eEye Digital Security, told

Maifret's company was just one that offered a third-party patch to fill the gap between Microsoft's official IE fix.

As an example of the security threat posed by IE's integral position in the Windows operating system, Microsoft released a second critical security bulletin involving IE's Data Access Components (MDAC) library.

A vulnerability in the Remote Data Services portion of the library could permit hackers to bypass the browser's security restrictions and enable malicious objects to be run within IE's "Internet Zone."

This article was first published on To read the full article, click here.