Berend-Jan Wever has discovered a weakness in Internet Explorer, which can be exploited by malicious people to detect the presence of local files.
The problem is that sites from the "Internet" zone can include scripts from local resources. This can be exploited to determine the presence of local scripts by checking the existence of global variables introduced in the included script.
NOTE: This is similar to an old issue, which used the window.onerror event to catch errors in the loading of local scripts.
The weakness has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2.
SOFTWARE:
Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6
SOLUTION:
Disable Active Scripting support for all but trusted sites.
PROVIDED AND/OR DISCOVERED BY:
Berend-Jan Wever
VERIFY ADVISORY:
http://secunia.com/advisories/13892/
Secunia Security Advisories
http://community.securityteam.us/article.php/20050120090738930