I have to say I'm puzzled by a) how they managed to get it to crash like that (assuming all default settings and considering MS quotes below) b) why the email html preview is affected but IE7 in protected mode is not? (why doesn't protected mode apply to email viewing, it's still html?)

Couple select quotes from http://www.microsoft.com/technet/security/advisory/935423.mspx


"Customers who are using Internet Explorer 7 on Windows Vista are protected from currently known web based attacks due to Internet Explorer 7.0 protected mode"

This one is weird:

"By default, Outlook 2007 uses Microsoft Word to display e-mail messages which protects customers from the HTML e-mail preview and attack vector"

So now viewing stuff in Word protects in this case? One would figure that Word would have more features and thus bugs.


"Reading e-mail in plain text on Outlook Express does not mitigate attempts to exploit this vulnerability"

Ouch. This one is surprising. I'd like to ask, how the hel* does the cursor get past that automatically or is there some user action still required?