New Graphic Site

Yahoo! has done it again. Ah, the joy of crappy software being implemented without fully examining for security weaknesses...
There is a worm that exploits a flaw in the Yahoo! Mail Service (and currently only hits Windows users, so I'm safe there) and embeds javascript into the html code of an email.
When the user simply OPENS the email (titled "New Graphic Site") with the script, BAM the script is run, the user is redirected to an advertising site, and their Yahoo! addressbook is copied and the email is sent to everyone in it...
[sigh.]
So every Yahoo! list I am on is getting these mails, and list owners keep assuring everyone that the list is safe sindce they don't allow attachments.
Um, sorry, guys, but this one isn't an attachment!
It's not an attachment!

So far the best article I've read on it is at the Register.

Symantec insists that it's a minor worm, but they're not seeing all the panicked emails hitting the lists.

Once again, in case you missed it: It's IN the email, NOT as an attachment!
Ah, STDs of the modern age.