This patch fixes a cross domain vulnerability that could allow LMZ script execution (this is the Back button JScript vulnerability). This patch fixes the DHTML drag-drop file download vulnerability (save arbitrary code to your machine, but not execute it). This patch fixes an url parsing bug that could be exploited to show an url in the address bar that is different from where you actually are.
And one last important change:
This Internet Explorer cumulative update also includes a change to the functionality of a Basic Authentication feature in Internet Explorer. The update removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is no longer supported in Internet Explorer or Windows Explorer after you install this software update:
For more information about this change, please see Microsoft Knowledge Base article 834489.