Microsoft has revealed a liability in Internet Explorer that can allow an invader to disclose local files on the system as HTML.

Technically, all the versions of IE are affected, however, as a practical matter only Windows XP and Windows 2000 are vulnerable due to the Protected Mode in IE7 and IE8 on Windows Vista and Windows 7 prevent the exploit. If a user were to disable protected mode they would also be vulnerable.

The exploit relies on the file: protocol and either scripting of some unnamed ActiveX control. Protected mode most likely stops the exploit because it runs the browser in a user context which has no access to the files in the file system outside of the temporary Internet files directories.

Microsoft has provided instructions in the advisory and a “Fix It” program to enable the “Network Protocol Lockdown”. Separate instructions for servers and for distribution through group policy are also provided. This will prevent the exploit by shutting off the file: protocol.

An attacker exploiting this vulnerability would have to know the precise location in the file system of the file to display and even then it is just displaying in the browser, so the sternness of the impact is debatable. Microsoft says that they are aware of no attacks using the vulnerability that makes it uncommon for them to release such an advisory.