Just got sent a variation on the Bagle virus I hadn't seen before. It consists of an HTML message containing a VBScript routine. This routine creates an executable file and then runs it. Because the message doesn't contain an attachment, it looks safe. But view it with Outlook Express (or any Windows email client that uses Microsoft's HTML rendering engine) and boom! you're infected.
Even more special, someone could easily infect users of Internet Explorer by adding this code to a Web page.
Can somebody explain to me why Microsoft felt it was a good idea to write a scripting language which permits complete access the user's file system? And why, after years of such security holes being exploited, they don't remove that capability?