Because that local file can be downloaded and opened by executing javascript. In fact, that seems to be the preferred method, since the target Jet needs to be 32-bit and a lot of people are still using 32-bit browsers, which will call the 32-bit Jet to handle a Jet file it's been tricked into executing.
The mitigation is to run only 64-bit applications and to not execute Javascript from untrusted sources.
Biting the hand that feeds IT
