Microsoft says that they have found a new vulnerability in Internet Explorer 6 and 7 that could allow remote code execution. The company is currently working on a fix but the advisory linked above does list a few workarounds for those affected.
The vulnerability exists due to an invalid pointer reference being used within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.