Vulnerability in Internet Explorer Could Allow Information Disclosure

http://www.microsoft.com/technet/security/advisory/980088.mspx

Thanks to Chris for the tip.

Microsoft is reporting a new vulnerability in IE that could lead to
information disclosure of files with known filenames to a remote attacker.

"[If] a user is using a version of Internet Explorer that is not running
in Protected Mode an attacker may be able to access files with an
already known filename and location."

"[Versions affected] include
Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service 4
Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4
Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 on
supported editions of Windows XP Service Pack 2, Windows XP Service Pack
3, and Windows Server 2003 Service Pack 2"

"Protected Mode prevents exploitation of this vulnerability and is
running by default for versions of Internet Explorer on Windows Vista,
Windows Server 2008, Windows 7, and Windows Server 2008."

An official patch has not been released from Microsoft. They suggest
the following workarounds:

* "Set Internet and Local intranet security zone settings to "High" to
prompt before running ActiveX Controls and Active Scripting in these zones"

* "Configure Internet Explorer to prompt before running Active Scripting
or to disable Active Scripting in the Internet and Local intranet
security zone"

* "Enable Internet Explorer Network Protocol Lockdown for Windows XP"

Our recommendation is to review the mitigation techniques from Microsoft
and implement one until a patch is available. Also, using a different
browser during this time would mitigate the problem. Inform users that
their information is at risk of being disclosed if these protections are
not enabled.

Thanks,
Brian