The vulnerability is present due to an invalid flag reference in the browser and has been already exploited, to very limited effect. Internet Explorer 7/8 users can keep safe by ensuring that Data Execution Prevention (DEP) is enabled and Microsoft offers a few more workarounds (available here) for IE6.
Microsoft warns for new IE vulnerability
Posted on Thursday, November 04 2010 @ 1:10 CET by Thomas De Maesschalck