Sad part is that the vuln was reported ages ago...

Internet Explorer ‘feature’ causing drive-by malware attacks - ZDNet Zero Day Blog

The attack, discovered at a compromised legitimate site, is using a modified GIF file to exploit the cross-site scripting feature/vulnerability.

Schouwenberg said he reported the vulnerability to Microsoft a long time ago, warning the company that JavaScript embedded into GIF files can be executed under certain circumstances. Microsoft disagreed and the issue was never patched.