Microsoft has released an out-of-cycle patch to fix three critical and previously disclosed holes in Internet Explorer. The company also released an updated version of a software tool for cleaning out the prolific Mydoom virus and its variants from infected systems.

The latest cumulative patch is contained in Security Bulletin MS04-25 and is aimed at fixing a series of flaws in Internet Explorer that were publicly disclosed in late June.

Microsoft, which typically releases patches in monthly cycles, urged users to install the latest one as soon as possible because of potentially serious risks posed by the flaws.

For instance, one of the holes has already been in an attack called Download.Ject in which vulnerable client systems are infected with a Trojan horse capable of capturing sensitive information, such as log-on names and passwords, or of fooling users into parting with their credit card numbers and ATM codes.

Microsoft released a tool to help users get rid of the Trojan on infected systems in June. On 2 July, the company released a configuration change to Windows XP, Server 2003 and Windows 2000 that was designed to mitigate the risk posed by Download.Ject.

Today's patch finally closes the so-called cross-domain vulnerability in Internet Explorer that Download.Ject takes advantage of, Microsoft said. There is no evidence that the other two flaws addressed by the latest patch have been exploited, said Alfred Huger, senior director of engineering at Symantec's security response center.

One of them is a buffer overflow vulnerability in a software component used to process bitmap image files. The other is a buffer overrun flaw in a function used to process GIF image files. Both flaws could give attackers a way to remotely execute malicious code on an infected system.

"Both of these are a little more difficult to exploit than the first one," Huger said. "We haven't seen any exploits so far but that doesn't necessarily mean there aren't any," he said.

Microsoft's latest patch replaces the MS04-004 cumulative update that was first issued by the company in February and later updated in April. Meanwhile, the company's tool for removing the latest Mydoom variant from infected systems is available at www.microsoft.com/security/incident/mydoom.mspx.