Originally found at 
http://www.eeye.com/html/Research/Advisories/AD20021211.html (and then 
email to me)
 > Twas the night before Christmas, and deep in IE
 > A creature was stirring, a vulnerability
 > MS02-066 was posted on the website with care
 > In hopes that Team eEye would not see it there
 >
 > But the engineers weren't nestled all snug in their beds,
 > No, PNG images danced in their heads
 > And Riley at his computer, with Drew's and my backing
 > Had just settled down for a little PNG cracking
 >
 > When rendering an image, we saw IE shatter
 > And with just a glance we knew what was the matter
 > Away into SoftICE we flew in a flash
 > Tore open the core dumps, and threw RFC 1951 in the trash
 >
 > The bug in the thick of the poorly-written code
 > Caused an AV exception when the image tried to load
 > Then what in our wondering eyes should we see
 > But our data overwriting all of heap memory
 >
 > With heap management structures all hijacked so quick
 > We knew in a moment we could exploit this $#!%
 > More rapid than eagles our malicious pic came --
 > The hardest part of this exploit was choosing its name
 >
 > Derek Soeder
 > Software Engineer
 > eEye Digital Security