Security hole in IE5, patch in progress

Browser hole lets Web sites read files on your PC

Microsoft this week said a security hole in its Internet Explorer 5.0 browser could enable Web site operators to read files on visiting users' PCs.

According to a security alert issued by Microsoft, Web site operators can read files only if they already know the name of the file and the folder in which it resides. The security hole does not allow malicious operators to list the contents of folders, create, modify or delete files, or have any administrative control over other people's PCs.

Microsoft is currently developing a patch, but until it is ready, the company recommends users only add Web sites they trust to the "Trusted Zone" in IE 5.0 and disable Active Scripting in the "Internet Zone", where all Web sites exist. These actions will provide full functionality for all trusted sites, while preventing untrusted sites from being able to exploit the security hole, officials said.

The security alert states that the problem exists only if Active Scripting is enabled in the security zone that the Web site resides in. Each zone -- Internet Zone, Local Intranet Zone (where all local Web sites exist), Trusted Zone and Restricted Zone (where untrusted Web sites reside) -- has its own set of allowed and disallowed actions, which users can customize.

For more information, see Microsoft's security alert . The patch will be available at, and Active Scripting will be required to install it.