"Experts have noted that, while the flaw is serious, those wishing to exploit it would have to entice users to click a link that takes them to a specially crafted Web site. "
How is this a mitigating factor or anything that should be presented as lessening the concern. When does a browser vulnerability not require that a user connect to a website serving malicious code? It seems like this is a common refrain for all of the the IE vulnerabilities and I'm wondering is it anything more than just spin?
Can any of you all think of serious browser vulnerabilites that don't require a user make a connection to a site that serves malicious content? If not, then why treat that as somehow special.
