A second bug has been found! This time it involves a website manipulated to host an infected file (which can be either flash/gif/mpeg/avi - this is a wide ranging issue!). This file proceeds to hypnotize the user into downloading a malicious file, then even more dastardly accepting the UAC warning.
Microsoft are yet to comment on this security issue, but examples of this exploit can already be found on the web. This site has an example http://r33b.net/ - only look at it for a maximum of 10 seconds otherwise you will be infected.
Hopefully this will be patched quickly as I'm sure you are as concerned as I am.