The massive patch Microsoft issued last week for Internet Explorer fails to fix all of the vulnerabilities it targeted, security researchers said.
Researchers at Vigilinx said after installing the cumulative patch, cross-site scripting vulnerabilities remained in legacy versions of IE, including versions 5.01 and 5.5.
Additional testing of the patch showed weaknesses in the information disclosure vulnerability, the firm said.
Microsoft released the patch last week to fix six new vulnerabilities in IE and said the most serious flaw could allow an attacker to run any code he or she chooses. IE versions 5.01, 5.5 and 6.0 are affected.
Another company, GreyMagic Software, said the patch failed to correct one of the vulnerabilities.
A Microsoft spokesman said the developer updated its original bulletin about the patch with some wording changes. But he said the patch is effective.
"The patch works," he said. "It fixes the vulnerabilities."
Microsoft is investigating reports of additional vulnerabilities in IE that have come out since the patch was released, he added.