<IFRAME> tag insertion

This is not specifically an attack on clients, but rather a means by which to cause clients to visit sites which have malicious content, which they wouldn't have gone to otherwise. From the HTML spec:

The IFRAME element allows authors to insert a frame within a block of text. Inserting an inline frame within a section of text is much like inserting an object via the OBJECT element: they both allow you to insert an HTML document in the middle of another, they may both be aligned with surrounding text, etc.

It is definitely not the only way to force a user to view external content (a simple image link suffices for that), however it is notable because it can allow for pulling in malicious pages in such a way that it will not necessarily be obvious to the user.

Here's something which is commonly seen in MS write-ups of IE exploits under the "Mitigating Factors" heading:

In a Web-based attack scenario, an attacker would have to host a Web site that contained a Web page that was used to exploit this vulnerability. An attacker would have no way to force users to visit a specially crafted Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site

However, in light of iframe insertion, we can see that this last part is not entirely true. While the user may not be being forced to go to a malicious website, they certainly aren't being persuaded either; their browser is simply doing what it's supposed to and fetching the content. In the event that a webserver is compromised, attackers now will often simply leave the content the same, and insert an IFRAME link pointing to their malicious site. The code can be combined with server-side client identification to tailor the exploit to the particular browser accessing the site. In this case, the vulnerable user doesn't have much of a chance.