For the third time this year, Microsoft has issued a cumulative patch to fix security holes in its flagship Internet Explorer (IE) browser, warning that the flaws affect versions 5.01 through 6.0, including IE 6.0 for Windows Server 2003.

The software giant tagged a "critical" rating on the vulnerability, which was detected by researchers at eEye Digital Security.

The latest cumulative patch includes the functionality of all previously released fixes for IE and two newly discovered security holes, the company said in an alert issued on Wednesday.

First up, Microsoft said a buffer overrun vulnerability occurs because IE does not properly determine an object type returned from a Web server. The hole leave the door open for an attacker run arbitrary code on a user's system, potentially putting millions of Web users at risk.

"If a user visited an attacker's website, it would be possible for the attacker to exploit this vulnerability without any other user action," the company warned, noting that an intruder could also craft an HTML email to exploit the flaw.

The patch also fixes a vulnerability that results because IE does not implement an appropriate block on a file download dialog box. Microsoft said this could let an attacker run harmful code on a user's system if the Web user simply visited an attacker's website.

It's the third time this year that Microsoft has issued a monster patch for IE, which is by far the most widely used Web browser on the Internet. In February, a patch carrying a "critical" rating was issued to fix a cross-domain security issue and, in April, the company also released a cumulative patch to plug for other "critical" vulnerabilities.

Microsoft said the latest IE patch will cause window.showHelp( ) to cease to function if you the HTML Help update isn't applied. "If you have installed the updated HTML Help control from Knowledge Base article 811630, you will still be able to use HTML Help functionality after applying this patch," the company noted.