Talk about fast! George Ou at zdnet posted an article about this particular gem.
Essentially, a user with the Speech Command feature enabled can browse to a web page which starts a sound file (like just about every mySpace page) containing clearly recorded commands, and the Speech Command feature will execute those commands without any other user interaction. While not every command is enabled through Speech Command, George explains why you should disable Speech Command until there is a fix:
The fact that a website can play a moderate level sound file to
interact in a way with the desktop by activating an idle speech
command system and be able to delete user documents with zero user
interaction is serious by any stretch of the imagination.
Update: Microsoft has confirmed this exploit.