An attacker can run arbitrary commands on Windows machines with a simple bit of HTML, an Israeli security researcher has demonstrated. The exploit will work with IE, Outlook and OutlooK Express even if active scripting and ActiveX are disabled in the browser security settings.

The problem is data binding, an old 'feature' going back to IE4 in which a data source object (DSO) is bound to HTML.

The Register (http://www.theregister.co.uk/content/4/24274.html)

Another bug huh.

Well, for people running NT/2k systems check this out:

http://security.greymagic.com/adv/gm001-ie/simplebind.html

Shows the above expoit, which is quite scary. Loads calc.

LOL
we're in good shape heh?
one bug per week, all hail M$ :D