IE hole reported

A flaw in Internet Explorer (IE) gives attackers access to files stored on a PC under certain conditions, Microsoft warned.

"Our investigation so far has shown that if a user is using a version of Internet Explorer that is not running in Protected Mode, an attacker may be able to access files with an already known filename and location," Microsoft said in its security advisory.

The vulnerability is caused by incorrectly rendering local files in the browser, and affects several versions, including IE 5.01 and IE 6 on Windows 2000; IE 6 on Windows 2000 Service Pack 4; and IE6, IE 7, and IE 8 on Windows XP and Windows Server 2003.

"Protected Mode prevents exploitation of this vulnerability and is running by default for versions of Internet Explorer on Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008," the company said.

Microsoft hasn't seen any attacks that exploit the flaw and has yet to decide whether to repair the flaw through its monthly security patch release cycle or an urgent, out-of-cycle update.

Sources: Computerworld, Microsoft.