From HD's blog post, here's a link to the original disclosed exploit:

http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07...

DEP stops it on IE7 and IE8.

It looks like use-after-free; an event is created for a DOM object, stored, the DOM object is cleared, and the DOM object is referenced through the event object from a second event.

This is, I think, a reduction of the underlying problem (in Haml):

http://pastie.org/780341

Hopefully this will force _some_ of the companies to rethink their policy on insisting on using IE6 to support outdated software.

It affects IE7 too, and may affect IE8 when DEP is disabled.

According to this: http://mashable.com/2010/01/15/german-government-stop-using-... it affects all IE version even in "protected" mode. I am guessing they are referring to DEP.

I am so happy that this single event might start a _major_ decline in IE market share. I am sick and tired of doing IE specific hacks for my sites.

No, "protected mode" and DEP aren't the same thing.

I highly doubt this will cause any decline. The people who will hear about this news or care about it have mostly already switched (or can't because of an external reason or have some educated reason for sticking with IE). The rest will hear no more than "Google got attacked by China."