It appears that this can also be exploited when an HTML page includes a malformed cursor file as well... that's why IE7 isn't affected in Protected Mode. Word's HTML viewing prevents this bug from being exploited because it's
not a full featured HTML viewer-- it can't use an animated cursor included in a webpage.
"Reading e-mail in plain text on Outlook Express does not mitigate attempts to exploit this vulnerability"
Assuming you're right it still doesn't explain the above quote. How come Word's HTML viewing prevents but a plain text (no html parsing) doesn't? It just doesn't make any sense assuming the bug can be exploited just by opening the mail in plain text and not
clicking some .ani attachment or stuff.