The “object type” vulnerability was discovered by eEye Digital Security around four months ago. A patch was released on Aug. 20. It was then re-released on Aug. 28, because under some circumstances it had caused problems for some non-default operating system installations, according to eEye. The patch appears to be due for yet another rerelease because it simply doesn't fix the vulnerability it is supposed to, eEye said.
The vulnerability in question can be exploited by crafting a malicious HTML file that, when viewed by an Internet Explorer browser, extracts and executes malicious code. [Privacy Digest]