本家のUnpatched Internet Explorer Bugsにはまだ上がってないようだが。ヽＲノ日記にも情報あり。
・New "Clean" IE Remote Compromise

By combining several vulnerabilities in Internet Explorer, an attacker can execute his EXE file on victim's system.

• demo:http://www.safecenter.net/UMBRELLAWEBV4/1stCleanRc/1stCleanRc-Demo/index.html

・MHTML Redirection Leads to Downloading EXE and Executing

A vulnerability in Internet Explorer is found: any attacker that can reach MYCOMPUTER security zone(a.k.a local zone) is able to download his EXE file and execute it.

• demo:http://www.safecenter.net/UMBRELLAWEBV4/MhtRedirLaunchInetExe/MhtRedirLaunchInetExe-Demo.zip

・BackToFramedJpu - a successor of BackToJpu attack

A cross-zone scripting vulnerability has been found in Internet Explorer. If a webpage contains some subframe(either FRAME tag or IFRAME tag), its security zone may be compromised.

• demo:http://www.safecenter.net/UMBRELLAWEBV4/BackToFramedJpu/BackToFramedJpu-MyPage.htm

・HijackClickV2 - a successor of HijackClick attack

After applying MS03-048, the original HijackClick exploit doesn't work any more.With method caching(a.k.a "SaveRef"), HijackClick works again.

• demo:http://www.safecenter.net/UMBRELLAWEBV4/HijackClickV2/HijackClickV2-MyPage.htm

・Invalid ContentType may disclose cache directory

The problem lies in the download function of Internet Explorer. This can be exploited by malicious web pages to get cache directory including random names.

• Note for "Invalid ContentType may disclose cache directory"

• 1st, online demo, powered by ASP:http://www.safecenter.net/UMBRELLAWEBV4/threadid10008/threadid10008-Demo
• 2nd, demo in ZIP format, powered by NETCAT:http://www.safecenter.net/UMBRELLAWEBV4/threadid10008/threadid10008-Demo.zip

・Cache Disclosure Leads to MYCOMPUTER Zone and Remote Compromise

By combining cache file disclosure and several other unpatched vulnerabilties, an malicious INTERNET page can reach MYCOMPUTER zone. The demo uses Adodb.Stream to launch a remote compromise attack.

• demos:Online demo, powered by ASP:http://www.safecenter.net/UMBRELLAWEBV4/LocalZoneInCache/LocalZoneInCache-Demo/index.html (runs harmless demonstration executable)

・IE Remote Compromise by Getting Cache Location

With the help of LocalZoneInCache(refer to "[technical details]" part), an attacker can compromise a user's system even though the user has:
1. Customized IE cache directory,
2. Applied MS03-048 patch,
3. Set killbit for ADODB.STREAM ActiveX.

• online demo, powered by ASP:http://www.safecenter.net/UMBRELLAWEBV4/execdror6/execdror6-Demo/index.html (runs harmless demonstration executable)

追記：つまるところ、ダメダメだということだ。

• Internet Explorerの新セキュリティホールは「極めて危険」(ZDNet)
• Internet Explorer System Compromise Vulnerabilities

追記(11/28)：
IEの脆弱性に関してセキュmemoにてまとめがある。

• Secunia Advisory SA10289: Internet Explorer System Compromise Vulnerabilities(memo)