>The external method flaw also seems to affects my ie6 sp1 browser Indeed, it was overlooked in the final write-up of the advisory. It's also worth mentioning that IE6 SP1 is vulnerable to the "clipboardData" object caching as well, which, unfortunately, wasn't mentioned before. The advisory and demonstration have been revised to reflect these and IE6 SP1 is again open to local file reading, program execution and clipboard control in addition to global access to any domain. http://sec.greymagic.com/adv/gm012-ie/
