COMMENTARY--Last Wednesday, Microsoft issued a critical patch, MS02-023, which includes five different fixes for six known vulnerabilities in recent three recent releases of Internet Explorer. Got that?

However, several security experts have criticized Microsoft for not resolving the Web browser's underlying security issues, nor fully testing the patch before its release. In the end, those of you who apply the 2MB patch may find malicious users can still run scripts and perform arbitrary commands on your Internet Explorer browser.

Here's a recap of the patch's key problems.

• Microsoft reports that the cross-site scripting flaw, which allows code injected by malicious users to run in the local computer zone (despite whatever security zone had been set by the user), is now fixed. However, Software engineer Thor Larholm, writing to BugTraq, says the flaw really involves the "dailogArguments" statement, and is not remedied by the latest patch.

• Microsoft says the cascading style sheets that could allow a malicious user to read--although not change or delete--files on a remote system is also fixed. However, software company GreyMagic reports that this fix does not work, either. To prove it, the company offers a demonstration for users to try after installing the MS02-023 patch.

• Microsoft claims the "Script within Cookies reading Cookies" flaw, which could allow a malicious user to plant a script on your computer that reads remote cookies, is fixed. However, Andreas Sandbald, an engineering student, published a workaround on Bugtraq that could allow a malicious user to exploit this even after the MS02-023 patch is installed.

• Finally, Office guru Woody Leonhard, writing in Woody's Office Watch 7.21 Special Issue, reported a cosmetic bug in the new patch that changes the font in Microsoft's Outlook e-mail program. After you install the patch, the Find and Organize dialog boxes in Outlook shift from Tahoma to Times Roman font styles. Leonhard notes that a few people have also experienced whole system crashes after installing the new patch.

In response to these criticisms, Microsoft has begun investigating some of the concerns, and has suggested these vulnerabilities are new, not previously known or tested.

Nonetheless, Larholm, who regularly tracks vulnerabilities in Internet Explorer and other software, notes that the MS02-023 "fixes" are just the tip of the iceberg when it comes to IE vulnerabilities. His site currently lists 13 security holes in Microsoft's popular browser.

After hearing all this, you may be wondering: Should I download the latest patch from Microsoft?

Yes. After all, some protection is better than none. And this patch is cumulative, so if you haven't patched your browser yet this year, you can play catch-up.

Depending on your system and current browser, there are different versions of the MS02-023 patch available. The file sizes average about 2MB. But keep in mind: Once you begin to install the patch, you can't uninstall it. Woody's Office Watch recommends backing up your system first, or setting a system restore point, just in case the patch causes trouble on your system.

What do you think of the new Internet Explorer patch, MS02-023? Do you think it's worth installing?