Well, it’s newly discovered, but it’s a six year old bug… http://secunia.com/advisories/11966/ Basically, IE doesn’t check which window a frame is in, so window #1 can open a page inside a frame in window #2. This has been verified on a fully patched WinXP/IE6.
Here’s an example. www.windowsupdate.com will open in a new window. Once that’s loaded, come back here and inject invisibill.net into Windows Update. Switch back to the Windows Update window, and tell me what you see.
Now imagine if I had used a fake updates page linked to spambots and keyloggers instead of my obviously-not-WindowsUpdate page… It seems like no matter how many major IE bugs get fixed, there’s always another one coming up…