I work on the IE team at Microsoft, and I really don't think this is an exploit. If you can control the script for the click event, then you already have control of the page and can do worse (think: cross-site scripting). In this case, if you browse to my site and I'm a bad guy and want to send you to evil.com, I'd just craft a page that makes you think the whole page is honorable, rather than hope you click on a link. In other words, anyone who can hack the click event already owns you.
I'm very happy to reassess if you have an example where you do not control the content of the page, but somehow still control the content of the click. That would be really serious and worth fixing.
-John Jansen
Principal Test Lead
Internet Explorer
I'm very happy to reassess if you have an example where you do not control the content of the page, but somehow still control the content of the click. That would be really serious and worth fixing.
-John Jansen Principal Test Lead Internet Explorer