The Cross Frame Navigate bug affects IE 3 and 4 running on most versions of the Macintosh operating system as well as Windows 3.x, 95, 98, and NT, according to the company.
When someone visits a site boobytrapped by malicious developers who have written code allowing them to view specific files on the user's computer, the bug gets triggered. But in order to read the files, the hacker must know their specific name.
Microsoft said the bug was first discovered in late August by Georgi Guninski, who's a 26-year-old Bulgarian according to his Web site. The company said it rushed to get out a patch before making the bug public in order not to alert hackers before a fix was available. Microsoft is telling people who use the affected programs to first download its Internet Explorer 4.01 and then get the patch from the company's Web site.
A similar bug that allowed malicious hackers to track Web usage surfaced in Internet Explorer 3 in August 1997, but later was fixed through a patch and upgrade.