THE SECURITY RISK
SEATTLE--(BUSINESS WIRE)--Dec. 27, 1999-- Confirmed by Microsoft -- Hackers could read PC users' private files through a security hole in Internet Explorer (IE). By exploiting JavaScript, a Web scripting language for executing actions on a Web page or HTML e-mail, without user input, prying individuals can circumvent the IE security checks to spy on any file that can be viewed through the browser window.
IE can execute a command ``NavigateAndFind'' within a Web page or an HTML-based e-mail, which directs the browser to a specific Web page to highlight selected text there. Normally, IE will perform a security check to make sure the command is not directing to a file located on the user's computer. However, by directing this command to a JavaScript URL contained within a frame, hackers can override the security check and execute the JavaScript. As a result, a hacker can read any document that can be viewed in a browser window. Files that can be viewed include: Word documents, HTML pages, text files, cookie files (that can contain passwords and personal information), jpeg and gif images and other files. The security hole does not allow modifying or deleting files.