Georgi Guninski, of Bulgaria, published his advisory of the exploit today, warning Web surfers using Microsoft's recently released Internet Explorer 5.5 that they are at risk.
Malicious programmers who set up booby-trap Web sites to lure unwitting surfers can break into someone's computer records--including cookies, or digital tags that reveal valuable information about a person--using Microsoft's ActiveX technology, which manages the sending and receiving of files.
"The attacker may steal every file to which the user has access and send it to an arbitrary server," Guninski wrote in an email.
The advisory, circulating on the Bugtraq mailing list, tops a lengthening list of security and privacy problems Guninski has discovered in Microsoft's software. The barrage of security hole reports has led at least one analyst to conclude that the public is so accustomed to such news, and people are no longer worried.
"The security holes happen so frequently that people are now starting to gloss over them," said Elias Levy, a SecurityFocus.com analyst and Bugtraq moderator.
Microsoft said it is investigating the reported vulnerability.
Consequences of the security hole could be dire, Levy said. For instance, a thief could swipe someone's eBay cookie and then gain total access to the private eBay account.
But the likelihood of something like that happening is fairly slim since attackers would have to know the name of a file before rummaging through its contents, Levy said. As a result, he rated the problem somewhere between four and five on a scale of 10. He also noted that no break-ins have been reported.
The latest vulnerability points to similar security headaches that have come up recently. Just this month, Microsoft investigated a security vulnerability in its Internet Explorer browser that threatened to give attackers free rein in reading known files on targeted computers.