New bugs in Outlook and Explorer

Microsoft's Outlook and Internet Explorer have been hit by more security holes.

The software giant said it was investigating a report by security company eEye - which has found numerous Microsoft security holes in the past - of a new set of potentially serious flaws in the e-mail app and Web browser.

The two holes could let an attacker take control over a system with minimal action from the user, eEye said in two security alerts posted on its page of upcoming advisories. The company ranks the flaws "high" risk.

One of the vulnerabilities could let an attacker compromise a user's machine after the user clicks on a Web link, said Marc Maiffret, co-founder and chief hacking officer at eEye. "Nothing that would be normally suspicious to the user," he said. The flaws affect both Outlook and Outlook Express, according to Maiffret.

The flaws exist in the default installations of the applications on most current versions of Windows, according to eEye. The company has informed Microsoft and will not provide further details until Microsoft has provided a patch or security alert, it said on its website.

"We keep all the details private until Microsoft produces a patch. But that is not to say that nobody else has discovered the vulnerability and produced an exploit," Maiffret said. However, eEye has not seen any attacks that take advantage of the flaws yet, he said.

Microsoft is investigating the privately reported possible vulnerabilities, a spokeswoman confirmed. The result could be a fix as part of the company's monthly patching cycle or a special update, the spokeswoman said.

eEye reported the flaws to Microsoft on 16 March and 29 March, according to the eEye website. Maiffret hopes Microsoft will produce a patch within two months, the industry standard time for delivering a fix, he said.