Thanks to Rafael for bringing this to my attention
The HijackClick series have been used to force a drag and drop event simply from the user clicking a something. This is done by moving the window when nmousedown fires. Previously, window.moveBy/To has been used.
Microsoft patched MSHTML.DLL and IEXPLORE.EXE but failed to patch the show() function method cache part too. Meaning that exploiters can make it show the popup on loading of the main window, move the popup and show a favorites list on mousedown, and set a timer to hide the favorites list and taunt the victim who just got tricked into adding a link of our choice to their favorites list.
Another day and another Internet Explorer vulnerability.
View: HijackClick 3 Exploit - See for yourself
View: Information on HijackClick 3 at BugTraq
View: Firefox - the browser, reloaded
News source: SecurityFocus