From the bulletin:
Our investigation so far has shown that if a user is using a version of Internet Explorer that is not running in Protected Mode an attacker may be able to access files with an already known filename and location.Which means, for example, that if you can figure out the user's user name, you can read their address book from your website: "C:\Documents and Settings\user_name\Application Data\Microsoft\Address Book\user_name.wab".