ANDREA STREIGHT wrote: > "By convincing a user to view a specially crafted HTML document > (e.g., a web page or an HTML email message), an attacker could > execute arbitrary code with the privileges of the user. The > attacker could also cause IE (or any program that hosts the > WebBrowser ActiveX control) to crash. > > Reports indicate that this vulnerability is being exploited by > malicious code propagated via email. When a user clicks on a URL in > a malicious email message, IE opens and displays an HTML document > that exploits the vulnerability. > > I'm convinced. Me, too -- I'm convinced anyone still using Windows/IE/Outlook is pretty reckless :-) You might note that a *plain text* email with a URL in the format <http://example.com/> will be *made clickable* by Outlook, and if clicked, *will launch* your default browser. If that's IE (or other ActiveX-enabled browser), well, you can at least say "Yo, I didn't get cracked by accepting HTML email!" And that'll be a great consolation, I'm sure :-) -- Hassan Schroeder ----------------------------- hassan at webtuitive.com Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code.