Security consultant Georgi Guninski has highlighted a new Outlook security vulnerability that could make it possible for an HTML mail message to run a script or connect to a Web site with malicious content. The problem occurs when you configure Outlook to use Microsoft Word as its editor (a configuration known as WordMail). With the regular Outlook editor in operation instead of WordMail and with Outlook set to use the Restricted Sites zone for mail security, Outlook doesn't exhibit the vulnerability.

http://www.guninski.com/m$oxp-2.html