When users key into the software's virtual keyboard, it does not properly validate their input, the researchers claim. This enables a remote user to create specially crafted HTML that, once it is downloaded by the target user, will bring up the virtual keyboard. At this point the attacker can view files on the victim's system.
"A specially crafted GetGraphics() call with an input value containing directory traversal characters can trigger this flaw," Security Tracker said.
The advisory is available here.