The security flaw surfaces as the software giant reels from a series of miscues involving security breaches and software leaks.
The latest bug has to do with the way Microsoft's Internet Explorer browser handles the Java programming language, according to veteran browser-bug hunter Georgi Guninski.
The flaw lets a malicious Web site operator use a script to open a new browser window. That window opens with the computer owner's security safeguards.
Because IE normally lets the local computer user find files on the hard drive as well on the Web, the maliciously scripted window can display any file on a person's computer.
Scripts are lines of computer code that give browsers instructions to execute actions without a person's interaction. Scripts can open pop-up windows, run tickers across a screen, or double-check information entered in online forms.
Internet Explorer comes equipped with a security mechanism that should prevent Web authors from using scripts to peek from one window into another with the minimum security safeguard. But Guninski's exploit takes advantage of what he described as flaws in IE's Java implementation to circumvent those mechanisms.
Microsoft said it was investigating the problem, which it learned of yesterday morning, and declined to comment further on the security hole pending its investigation.