Microsoft released a patch late Thursday for a pair of "critical" security holes in its Internet Explorer Web browser but was still investigating a widely publicized vulnerability in its Windows NT and Windows 2000 operating systems.
The browser patch corrects two flaws. The first makes it possible for a malicious hacker to place code on a Web surfer"s PC by way of a cookie. Cookies are small files that Web sites place in a secure area on surfers" PCs to track return visits. The flaw allows a script embedded in a cookie to be saved outside the secure area, on the PC"s hard disk. The code can then be triggered the next time the surfer visits the site.
The second flaw would allow a malicious programmer to include code on a Web site that would automatically execute programs already present on a surfer"s PC once the surfer visited the site.
Microsoft rated both flaws "critical" and advised PC users running version 5 through 6 of Internet Explorer to promptly download the new patch.
Microsoft does not have a patch yet, however, for a recently publicized hole in the software-debugging component of Windows NT and Windows 2000. Malicious users could take advantage of the flaw in the debug tool to gain elevated privileges on a server running either of the operating systems. They could then access, modify and delete otherwise protected files.