This exploit affects Explorer, Outlook, and Outlook Express 5.5+ and uses the same technique an older jscript bug, but uses Microsoft's data binding technology to allow the exploit to run even on machines with Active Scripting and ActiveX disabled. Data binding is a technology that allows almost any kind of data to be bound to HTML without using any scripting.
No patch is available yet, but the discoverers (GreyMagic Software) suggest using regedit.exe to find
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] and change the value of "1004" (DWORD) to 0x3.
GreyMagic has also put up a web page demonstrating the vulnerability which allows you to type in the path of any program and have the web page execute it. Their default is set up for Windows NT, so you might want to try something like c:/windows/system32/notepad.exe. Worked like a charm on a fully patched Windows XP Professional box, and it has been tested on Windows 98, NT 4, 2000 as well.
Further coverage is available at The Register