The attack splices together multiple weaknesses in Internet Explorer, including at least one known but unpatched flaw and several new ones. The scripting cocktail tricks the browser into running code from a remote web server as though it were a local help file, and can then install a trojan of the attacker's choice on the compromised system.
Some security professionals called the new hack an example of a "zero-day exploit," in which a working attack is published at the same time a vulnerability is discovered. The existence of a published exploit puts pressure on Microsoft to quickly come up with a patch for all IE users. Early reports suggest the key security holes may be patched in Windows XP Service Pack 2, which is now in beta.