“attacks would take the form of tricking users into opening an attachment, so it’s not an auto-execute risk,”
Don't worry, it's only a zero-day exploit and although it requires the user to do exactly what Vista's UAC has trained users to do, there will be an auto-execute zero-day exploit along soon.
Microsoft security holes, death and taxes.