All versions of IE (IE6-IE11) are vulnerable to a remote code execution which works through a memory corruption bug. Attacks have been reported, so this isn’t a ‘theoretical’ thing. The reported attacks are using attacks on IE8 and IE9. The source for this is http://technet.microsoft.com/en-us/security/advisory/2887505 :
“Mitigating Factors:
By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 20...