Microsoft has released a patch that eliminates a security vulnerability in Microsoft® virtual machine (Microsoft VM). If a malicious web site operator were able to coax a user into visiting his site, the vulnerability could allow him to take ANY desired action on a visiting user's machine (such as creating, changing or deleting data, sending data to or receiving data from a web site, reformatting the hard drive, and so forth).
This vulnerability could even be exploited through an e-mail message. A malicious user could use an html formatted e-mail to exploit this vulnerability and allow a message to execute within the Preview pane. If the e-mail client is configured to run in the Restricted sites zone the malicious message would not be able to execute.
If you're using IE 4.x or IE 5.x, you definitely have a version of the VM that's affected by the vulnerability. It doesn't matter what other software you have installed; if IE 4.x or 5.x are installed, you have an affected version of the VM.
Even if you're not using a version of the IE that is affected by the vulnerability, you could still have an affected version of the Microsoft VM, as it ships as part of other products like Visual Studio. In this case, the best course is to determine the build number for the version of the Microsoft VM you are using and see if you have an affected version.
All users that have an affected version of the Microsoft VM should install the new VM build. Download the Microsoft "VM ActiveX Component" Vulnerability Patch from the links below