: well, I guess it's not that strange that it's possible to find an exploit that works across multiple versions; I was thinking that this implied the same exploit code could be used, which would be quite something... but that isn't mentioned anywhere; brainfart on my part.
Also, various blog entries mention that IE8 sandboxed mode helps mitigate
the attack, and DEP (default in IE8, optional and default-disabled in IE7) also help mitigate the problem, but it's not mentioned how much
it helps - like, whether sandboxing lets the exploit do it's stuff, but limits which files can be read/written... and whether DEP might let the browser crash, but not run the exploit code. All we get is "mitigates"