Security experts are warning users to quickly patch the hole left open by the latest bug infesting Microsoft Corp.'s Internet Explorer 4. If properly exploited, they say the security hole could allow hackers to enter a corporate network through a legitimate user's machine. "This is a real ugly problem," said Adam Shostack, director of technology for network-security startup Netect Inc. "Tools are already out there to exploit this hole." With tools available on the Web, "script kiddies" -- malignant, but unskilled hackers -- will soon follow. L0pht Heavy Industries, an association of security consultants, reported the existence of the breach on Monday. By Wednesday, Microsoft had confirmed the problem and issued a patch. Yet, press reports missed the mark, according to security consultants. "Remote users [read: hackers] can execute any code they want on almost any unpatched machine," said Oliver Friedrichs, a programmer with Canadian firewall maker Secure Networks, Inc. "This is a direct doorway to corporate servers." Reports about the security hole focused on the danger to individual machines. With the number of downloads of IE4 reported by Microsoft topping 2 million, that spells potential trouble for corporate America. The solution is simple: Download and use Microsoft's patch. Yet human nature is working against companies. "It never ceases to amaze me how long these bugs stick around after the patches are available," said Netect's Shostack. The Boston, Mass., firm develops software to detect the holes in networks that hackers exploit. He laments that many networks have not fixed holes that are more than 2 years old. "There is a reason that companies such as Microsoft and Netscape create patches, and that is to protect customers," said David Fester, Microsoft's IE4 product manager. "It is very important to apply the current patches." Fester had previously called the bug "obscure," but he explained that doesn't mean it's not serious. "There are tools out there for security -- users should not trust every Web site," he said. The bug, known as the buffer-overflow or "res://" bug, causes machines that read an overlong hyperlink (greater than 255 character) to crash, leaving the remaining characters in the processor's memory. On restart, these characters are treated as a program. Any hacker that appends a virus or cracking program onto the end of a long link could essentially invade the network from within. The bug only affects people who use IE4 on Windows 95. The patch can be downloaded from ZDNet's Software Library. Alternatively, users can turn on Microsoft's IE4 channel from their computers to have the patch, and subsequent announcements, broadcast to them. Turn on the service from the IE4 channel in the favorites menu.