I know I don't usually put patches in here, but this one is a must, especially if you deal with mass amounts of email as I do.

Because HTML e-mail is simply a Web page, Internet Explorer (IE) can render it and open binary attachments in a way that is appropriate to its MIME type. However, a flaw exists in the type of processing that is specified for certain unusual MIME types. If an attacker created an HTML e-mail containing an executable attachment, then modified the MIME header information to specify that the attachment was one of the unusual MIME types that Internet Explorer handles incorrectly, IE would launch the attachment automatically when it rendered the e-mail.

Attackers could use this vulnerability in either of two scenarios. They could host an affected HTML e-mail on a Web site and try to persuade another user to visit it, at which point script on a Web page could open the mail and initiate the executable. Alternatively, they could send the HTML mail directly to the user. In either case, the executable attachment, if it ran, would be limited only by user's permissions on the system.

The vulnerability could not be exploited if File Downloads have been disabled in the Security Zone in which the e-mail is rendered. This is not a default setting in any zone, however.