CNET News.com: IE 5 bug leaves computers open to invasion

“The vulnerability is in IE 5’s ImportExportFavorites
, which lets users import and export lists of commonly
accessed Web addresses. The trouble is that the feature lets a
malicious Web site operator run executable code
on the
computer of someone who visits that Web site.

‘The net result is that a malicious Web site operator
potentially could take any action on the computer that the user
would be capable of taking,’ warned Microsoft in a security

Microsoft said IE 5 users can disable Active Scripting to
protect themselves pending the release of a patch.”

“Microsoft acknowledged Bulgarian bug hunter Georgi Guninski for
discovering the security hole.”