http://news.cnet.com/news/0-1005-200-7828689.html http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-055.asp Apparently, the security hole allows malicous sites or HTML formatted emails to read cookies from domains oursite their own. e.g. a malicous page on ebay.com could read a cookie set by amazon.com No patch yet. Fix is to disable active scripting and wait. .djc.