From Security Focus Bugtraq archives for today:

A vulnerability was reported in Microsoft Internet Explorer (IE) version
5. A remote user can execute arbitrary code on the target system.

It is reported that a remote user can create a specially crafted bitmap file that,
when loaded by IE, will trigger an integer overflow and execute arbitrary code.

The author states that this flaw was found by reviewing the recently leaked Microsoft
Windows source code. The flaw reportedly resides in 'win2k/private/inet/mshtml/src/site/download/imgbmp.cxx'