>The patch for Drew's object data=funky.hta doesn't work: This is the exact same issue as http://greymagic.com/adv/gm001-ie/, which explains the problem in detail. Microsoft again patches the object element in HTML, but it doesn't patch the dynamic version of that same element. >1. Disable Active Scripting This actually means that no scripting is needed at all in order to exploit this amazingly critical vulnerability: <span datasrc="#oExec" datafld="exploit" dataformatas="html"></span> <xml id="oExec"> <security> <exploit> <![CDATA[ <object data=x.asp></object> ]]> </exploit> </security> </xml> Ouch.
