Internet Explorer faces two new vulnerabilities this week - slightly different to the usual buffer overflow, but both could aid the delivery of trojans.

The lesser of these two evils, effectively a cross-site exploit, might allow attackers to harvest credentials from hotmail, ebay, etc. via a second website. This flaw is based on incorrectly handled javascript - and is actually the same in Firefox. Proof of concept exploits exist.

The second more serious flaw allows attackers to use SMB shares - unlikely unless the attacker is local - or WebDAV to deliver executable code. This relies on a user clicking a link, but as we all know, if there's one thing users can be relied upon to do, it's click links!

SANS have the full low-down.