According to the US Computer Emergency Response Team (US-CERT), the vulnerability lies in the way IE 6 handles attempted cross-site scripting attacks.