There is a new bagle worm that uses an exploit in IE. It does not need to have the user open an attachment, they just need to read an email with HTML in it. !!!
There is a test to see if you are vulnerable here:
More detailed info here:
Bagle Q info here:
Go straight to the patch, here: