Microsoft has released a patch that eliminates a security vulnerability in Microsoft Internet Explorer. The vulnerability could allow a malicious web site operator to read - but not add, change or delete - certain types of files on the computer of a visiting user.
When a web server navigates a window from one domain into another one, the IE security model checks the server`s permissions on the new page. However, it is possible for a web server to open a browser window to a client-local file, then navigate the window to a page that is in the web site`s domain in such a way that the data in the client-local file is accessible to the new window.
The data would only be accessible to the new window for a very brief period, but the result is that it could be possible for a malicious web site operator to view files on the computer of a visiting user. The web site operator would need to know (or guess) the name and location of the file, and could only view file types that can be opened in a browser window.
Affected Software Versions include Microsoft Internet Explorer 4.0 and Internet Explorer 4.01, as well as Microsoft Internet Explorer 5 and Internet Explorer 5.01.
A patch has been made available, and can be found at http://www.microsoft.com/windows/ie/security/patch5.asp
Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/technet/security/bulletin/fq00-009.asp.
Share
