Microsoft released three software patches rated 'critical' late yesterday.

The patches plug holes in Internet Explorer, Windows XP, SQL Server 2000 and Commerce Server 2000.

Two of the patches aim to fix information disclosure flaws in Microsoft's IE web browser. Click on the flaw hyperlinks below to go to Microsoft's bulletins.

The first flaw exists in IE versions 5.01, 5.5 and 6.0. Through it malicious website operators can read files on users' computers and tap information entered into the web browser such as usernames, passwords and credit card details.

The second information disclosure flaw also requires a user to visit an attacker's website and would allow the attacker to read files on users' systems. This flaw entails the patching of IE 6.0, the operating system Windows XP and database server SQL Server 2000, as these applications all contain the flawed code.

This vulnerability, dubbed the XMLHTTP bug by security experts because it appears in the XMLHTTP ActiveX control, has been waiting for a plug since it was published on 15 December last year.

The ActiveX control is part of Microsoft's XML Core Services software. Flawed versions of the control ship as part of Windows XP, IE 6.0 and SQL Server 2000.

The third patch Microsoft issued is to fix a buffer overrun flaw in Commerce Server 2000, software that supports electronic commerce websites.

An attacker exploiting the flaw could gain full control over the system running the software by sending a malformed request to it, Microsoft said in security bulletin MS02-010.

Thor Larholm, a Danish internet programmer and security expert who maintains a list of security holes Microsoft has yet to patch on his website, said Microsoft is on the right track.

"It is nice to see that they have patched most of the holes listed on my site, but it is frightening to witness the amount of time it took and the pressure from the public that was needed," he said. "However, Microsoft's actions are a promising trend and I hope their initiative to put more focus on security will outlive the month."

Notwithstanding the patches, IE remains vulnerable, according to Larholm.

"Internet Explorer remains insecure. In the next month or two we will probably have about five new vulnerabilities. I have listed three current vulnerabilities that aren't public yet, but were discovered by a software firm. Microsoft is currently investigating these holes that allow an attacker to read local files," he said.