From HD's blog post, here's a link to the original disclosed exploit:

http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07...

DEP stops it on IE7 and IE8.

It looks like use-after-free; an event is created for a DOM object, stored, the DOM object is cleared, and the DOM object is referenced through the event object from a second event.