The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.
Microsoft is currently investigating the issue and will likely release an out-of-cycle security patch to take care of the problem. Let's just hope it comes soon, because according to security firm Fire Eye, this means that about 26 percent of the entire browser market is at risk.
And since Windows XP users won't be getting the patch for this fairly threatening bug, anyone still running the now-unsupported software is going to have to cough up some big bucks to stay safe. Anyone like—oh, the IRS, for instance.
[Microsoft via Cnet]