Dubbed by Microsoft the "Cross Frame Navigate Vulnerability," the hole lets a malicious site author write a script that opens a new browser window to view a specified file on a visitor's computer. Microsoft's Internet Explorer browser, like others, normally lets the local user find files on the hard drive, as well as Web addresses, through the URL bar.
The patch shores up security measures already built into the browser, designed to protect against this kind of exploit.
Microsoft, which faced a similar hole in October, strongly urged users to install the present patch as soon as possible. But IE group product manager Mike Nichols minimized the hazard of the new bug, noting that no incidents involving it had been reported yet, and that it would be difficult for someone to exploit.
He pointed out that for such an exploit to work, a Web site author would have to know the exact name and location of the file he or she wished to view, and then persuade the owner of that file to visit a maliciously designed Web site.
The hole affects the 4.x versions of the browser and most 3.x versions as well. The patch is available only for the 4.01 browser; users must upgrade to IE 4.01 before installing the fix.