InfoWorld: Microsoft issues Internet Explorer security patch [affecting Win2k version]Feb 17, 2000, 20:20 (6 Talkback[s])
(Other stories by Douglas F. Gray)
"ON THE EVE of the release of its much-delayed Windows 2000, Microsoft on Wednesday issued a patch for a security vulnerability in the Internet browser which is bundled with the new operating system.
The bug, which Microsoft calls the Image Source Redirect vulnerability, makes it possible for a malicious Web site operator to read certain types of files on the computers of visitors using Internet Explorer (IE) versions 4.0, 4.01, 5.0 and 5.01."
"When a Web server sends a new page to an IE browser window which comes from a different domain to the one currently being viewed, IE checks the server's permissions on the new page. The vulnerability makes it possible for a Web server to open a browser window to a file stored on the IE user's computer, and then switch to a page in the server's domain, gaining access to the contents of the user's files in the process, Microsoft said in a statement."