Yup, that's the first of many to come(?). And I myself know many people still running IE5. It's fairly easy for an attacker to send an email with a bmp attachement and the user with preview mode on by default, could inadvertently open it in Outlook Express (which uses the IE rendering engine). Pw3n3d.
And you won't even believe the kind of things people do by the way of handling attachments. Just the other day, I was on the phone with this dude that downloaded a malware exe from Yahoo! webmail on to the desktop, from an entirely unknown source, merrily double clicked and watched the fireworks fly.