I think this tops the buffer overflow in Outlook/Outlook Express where
arbitrary code can be run on an unpatched Windows machine just by sending
someone a plain text email.
This vulnerabilty is a right screwup. It allows someone to execute an
attachment on your Windows computer:
(a) just by visiting a site; or
(b) just by sending you an HTML email (that is automatically rendered
Unknown to me MS HTML emails are just in fact packaged web sites:
"Because HTML e-mails are simply web pages, IE can render them and open
binary attachments in a way that is appropriate to their MIME types."
Check it out:
This is a good example of how not to design a secure operating system. And
that's why statements such as "no operating system is secure" are
misleading. While none are prefectly secure there are degrees of security.
This demonstrates that Microsoft allowed people to email web sites to one
another and then thought about the security implications later.
Attachments execute as the email (i.e. web page/site) is "rendered".
Wonders never cease.