The exploit page (the one the victim is supposed to click on) loads the injected page (in this case Yahoo Mail) as stylesheet. The CSS parser throws away all the html and correctly parses the injected css.
I think the description is not very clear about this step, I had to look at the source of the exploit page to understand what happens.
Clever. But if the single quotes were ", and so on, this would not work. CSS does not have SGML entity support (or does it? please tell me it doesn't...)
I also open a separate IE window to log in to my banks and then close out completely when done.
Ever since I saw the hack that checks colors of visited URL's using CSS, I've been a little more cautions of what I'm logged into across tabs.
The thing is, the rest of the world is just running a bunch of IE7 tabs or even IE6 windows.