Security Advisory (980088)
to warn users of a vulnerability in Internet Explorer (shocking) that could potentially expose all local files on a filesystem with a known name and location.
The vulnerability was discussed and proof of concept code was written and demonstrated at the Black Hat DC conference by Jorge Luis Alvarez Medina, a security consultant with Core Security Technologies.
Microsoft responded with details and causes of the vulnerability, most notably pointing to disabling the Protected Mode within IE or running versions of IE that don’t include a Protected Mode. This amounts to vulnerability across Internet Explorer 5.01 and IE6 SP1 on Windows 2000 SP4, as well as IE6, IE7, and IE8 on supported editions of Windows XP and Windows Server 2003. However, Protected Mode is running by default on IE7 and IE8 on Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 and prevents the issue.
Microsoft noted that they are unaware of attacks using the vulnerability and recommended users upgrade to the latest version of IE. You can find more details in the security advisory and knowledge base article to make sure you are protected.