There is an input validation flaw in Internet Explorer that allows you to specify arbitrary arguments to the process responsible for handling URL protocols.
This is the same type of input validation vulnerability that I discovered in the Safari 3 beta – Thor Larholm
US-CERT is aware of a public exploit code for a new vulnerability targeting Microsoft Internet Explorer. The public exploit code demonstrates the vulnerability using the Mozilla Firefox firefoxurl:// URL protocol. Given this, a user must have Mozilla Firefox installed. To trigger this vulnerability, an attacker must persuade a user to access a specially crafted web page with Internet Explorer and have Mozilla Firefox installed.
US-CERT will provide additional information as it becomes available.