For security reasons, browsers typically restrict the kinds of things a Web site can do with scripts. But in this case, Microsoft's Internet Explorer 5.0 browser fails to restrict scripts when they are executed from within smaller windows within a Web site called frames. The command at issue here is the "document.execCommand," according to Microsoft.
In a security alert, Microsoft said it was working on a patch that would implement tighter security checks within frames. The patch is not yet available.
The security hole is typical of the type regularly reported by Bulgarian bug hunter Georgi Guninski. Guninski, who first reported this bug, has reported many others in browsers from both Microsoft and America Online's Netscape unit.
Pending a fix, Microsoft is recommending that users disable Active Scripting in IE 5's Internet Zone, a categorization within the browser's security system that includes most Web sites. Users should add sites they trust not to execute malicious content on their computers to the Trusted Zone, Microsoft said, adding that Microsoft should be among these sites if users want to download the patch when it becomes available.
Microsoft stressed that someone exploiting this attack could only read files, not change or delete them.