Microsoft has released a security patch to plug a hole in its Web browser that could allow hackers to steal passwords and trick people into downloading virulent files. Microsoft said customers using Internet Explorer versions 5.5 and 6.0 should install the patch immediately. The patch, released on Thursday, can be found on Microsoft's Web site. The Redmond, Washington-based software giant, which in recent months has patched a wide range of security holes in its Web browser and Web server software, said the patch eliminates all previously known security problems affecting the two versions of IE and plugs three new holes. The problems were first reported on 19 November to Microsoft by Jouko Pynnonen at Finland-based security firm Oy Online Solutions, according to Pynnonen. By 27 November, Pynnonen said he informed the company of more serious flaws. Microsoft then released a patch 13 December and acknowledged Pynnonen in its security bulletin for reporting the security holes. "Since the attacker could run any program on the victim system, they can do anything a malicious program can do on a system--possibly read or destroy files (including temporary internet files and cookie files), sniff network traffic, find passwords, install backdoors...or viruses," Pynnonen said. One problem, affecting only IE 6.0, allows an attacker to alter HTML information in a way as to trick IE to open a damaging executable file without asking the person for confirmation. Two other problems affect both IE 5.5 and 6.0. The first problem is a variation of a previous security glitch that allows a hacker to open two browser windows: one in the Web site's own domain and the other on an unknowing computer user's system. This could allow the hacker to gather personal information from the local system. A hacker could read, but not change, any file on the computer user's system that can be opened in a browser window. The second security breach can involve a flaw related to how file names are displayed in the "file download" dialogue box. A hacker could misrepresent the name of a file in the dialogue window when a person tries to download a file. The attacker could fool people into accepting tainted files from a trusted Web site. Left unpatched, computer users could face security breaches that may not become apparent for some time. "Opening an email attachment or accepting any download isn't required," Pynnonen said. "The victim user doesn't necessarily notice anything out of ordinary when reading a malicious email message or visiting a malicious Web site." For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section. For everything Internet-related, from the latest legal and policy-related news, to domain name updates, see ZDNet UK's Internet News Section. Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum. Let the editors know what you think in the Mailroom. And read other letters.