The L0pht Heavy Industries report details a method of compromising IE 4.0/4.01 involving a "heap overflow" when accessing a type of URL with the prefix "mk:". The report describes exploiting the bug as "complicated, but ... nonetheless, do-able" and goes on to describe the necessary steps. Example URLs which deliberately feature the bug in action are also provided, demonstrating how a user can be put at risk by single mouse click on a Web page. The user is equally at risk irrespective of their IE "security zone".
Since the bug was announced by L0pht on January 14th Microsoft have commented to various news services, but their Web site dealing with security issues still had no information on the problem as of this story being written. A Microsoft spokesman was reported to have said that a fix would be posted in "a little time". Text 100, Microsoft's UK PR firm, said when offered the chance to comment that, "There's nobody there [at Microsoft] now who can comment," but promised to get in touch in the morning.