The advisory explains that content can be forced to render incorrectly from local files in such a way that other information can be exposed. The vulnerability was discussed in depth by Jorge Luis Alvarez Medina at last weeks Black Hat DC conference. Jorge is a security consultant at Core Security Technologies who revealed the issue a day after Microsoft released an out-of-band security bulletin for their browser.



Here's the official description of the briefing at the Black Hat conference:

"In this presentation we will show how an attacker can read every file of your filesystem if you are using Internet Explorer. This attack leverages different design features of Internet Explorer entailing security risks that, while low if considered isolated, lead to interesting attack vectors when combined altogether. We will also disclose and demonstrate proof of concept code developed for the scenarios proposed."

Internet Explorer versions that does not have Protected Mode, or those where users decided it should be disabled, are exposed to an attack where one can access files with an already known filename, provided you know the exact location. Versions affected include Internet Explorer 5.01 and IE6 SP1 on Windows 2000 SP4, as well as IE6, IE7, and IE8 on supported editions of Windows XP and Windows Server 2003. The Protected Mode is running by default for IE7 and IE8 on Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.