The vulnerability is in IE 5's ImportExportFavorites feature, which lets users import and export lists of commonly accessed Web addresses. The trouble is that the feature lets a malicious Web site operator run executable code on the computer of someone who visits that Web site.
"The net result is that a malicious Web site operator potentially could take any action on the computer that the user would be capable of taking," warned Microsoft in a security alert.
Microsoft said IE 5 users can disable Active Scripting to protect themselves pending the release of a patch. Scripting lets Web authors run mini applications, or "scripts," on a visitor's computer that operate without the user's interaction. Scripting typically is used on Web sites for functions like launching pop-up windows or scrolling text across the screen.
Microsoft posted a list of frequently asked questions, which includes instructions for disabling Active Scripting.
Microsoft acknowledged Bulgarian bug hunter Georgi Guninski for discovering the security hole. Guninski has been credited for discovering numerous security holes in Microsoft and America Online's Web browsers, many exploiting unintended effects of Web scripting capabilities.