http://www.securityfocus.com/archive/1/500835

The specific flaw exists when processing, in XHTML strict mode, a CSS
stylesheet containing a specific combination of style directives one of
which must be a ‘zoom’. The fault in processing results in a memory
corruption vulnerability which can be leveraged to execute arbitrary
code under the context of the current user.

Internet Explorer处理XHTML strict模式的CSS样式表时存在内存破坏漏洞。如果用户打开的CSS样式表包含有特定的样式指令组合，且其中一个为zoom，就可以触发这个漏洞，导致以当前登录用户的权限执行任意代码。

比较佩服那些搞攻击的，连zoom渲染时的内存漏洞都能发现，并用来攻击，太牛了。

同事正在研究该漏洞，期待中。。。