I think this vulnerability demonstrates not only a sloppy implementation, but also a flawed approach to security. It would seem that whenever there is the choice of giving developers a chance to control the user, or implementing some sensible security, M$ do the former.
Now we come to the bug(s) in Internet Explorer. M$ Outlook calls IE to display HTML e-mail and does so in the cause of the mallicous e-mail that carries the virus. IE is tricked into executing the mallicous code and the infection is underway. M$ have a very poor track record in protecting their customers against mallicous code - they would rather developers can make everything unecessarily flash.
I agree security is very important. However the general user of Microsoft products knows little about security and these problems. And further more they aren't interested (general mac users are the same). They want a box to use MS Office on. Also MS doesn't seem interested in informing people of problems with their software (already mentioned on this list a few times)
In this case it is time that IE (and e-mail programs) deliberately made it hard to execute code downloaded from the net rather than making it easy - that would ensure people didn't so it unwhittingly and the software didn't do it by mistake. The consequences are too serious to be playing around.
Good luck. Ease of use over security always wins with MS. If MS made secure and correct programs, it would kill off a major part of the computer support industry.
Ashley
Dr. Ashley T. Howes PhD www.ashleyhowes.com Programmer
"When he sees the dream he seeks, he will sleep"