The bug lets a malicious Web author add a small suffix to a URL in order to misrepresent its origin. As a result, IE could wind up treating the Web site as though it were part of the client's local domain, such as within a corporate intranet, bypassing IE's security zones.
The bug affects versions 4 and 5 of the browser.
One manifestation of the bug lets a Web operator read local files and send them to another server if he or she knows the name of the file. This scenario is demonstrated on the Web by the bug's discoverer, Bulgarian bug hunter Georgi Guninski.
The second scenario lets the Web operator spoof a window of a trusted site, potentially tricking visitors into yielding private information such as usernames, passwords, or credit card information. Microsoft has fended off similar examples of the bug in the past.
Guninski posted a demonstration of this exploit as well.
Microsoft pointed out that no users have reported encountering similar exploits on the Web but said engineers are working on a fix. Concerned users can disable scripting pending a fix.
In other IE news, Microsoft released a slightly modified version of IE 5 that fixes some compatibility bugs that cropped up with its new Office 2000 suite. Microsoft is offering that upgrade as the standard IE 5 in order to maintain consistency.
Microsoft also announced its IE 5 Evaluation and Deployment Kit (EDK), a CD-ROM with a deployment guide for the browser and instructions on how a business can switch to IE 5 from AOL's Communicator browser. It also includes IE 5 and its administration kit. The EDK costs $6.95 and is available from Microsoft.