From Microsoft (archived):
This is a cumulative patch that eliminates all previously addressed security vulnerabilities affecting Internet Explorer 6, as well as two additional newly discovered vulnerabilities. This update includes the functionality of all previously released patches for Internet Explorer 6, and eliminates the following newly discovered vulnerabilities: one that occurs because Internet Explorer does not properly determine an object type returned from a Web server in a pop-up window, and one that occurs because Internet Explorer does not properly determine an object type returned from a Web server during XML data binding. Both flaws could have the effect of allowing an attacker to run arbitrary code on a user's system.
For more information about the vulnerabilities this update addresses, read the associated Microsoft Security Bulletin.