This is not mine. I’ve found following from one of the vulnerability positings of packetstorm.

<snip>
it’s the same modus operandi we’ve seen over and over in the past months, it goes something like this

1. Find an cross zone scripting exploit
2. Load a local trusted resource in an iframe
3. Inject javascript code in the trusted iframe using the cross zone scripting exploit to take over the computer, using the adodb.stream issue for instance

</snip>

This type (I’m not talking about simulating user click popping up window method; that’s a different one.) of modus operandi is currently used for opening pop-up and installation of unwanted toolbar. AFAIK, there’s no way to avoid this type of attack currently. Fortunately, the method currently used is way too cumbersome to mimic.