Spammers use the facilities in HTML e-mails to further their goals. Because almost every application that displays HTML pages uses the Internet Explorer COM objects, they're vulnerable to most of the same security flaws as Internet Explorer is itself.
There have been many serious security vulnerabilities that Microsoft has patched, and many that still remain unpatched and exploitable. Chief among them is the IFRAME issue.

IFRAME, an abbreviation for Inline Frame, is a very simple way Web developers can include a Web page from a different location inside their own page.
Due to a security flaw within the Internet Explorer IFRAME system, a malicious HTML e-mail (or Web site) can bypass the built-in security. Under normal circumstances, the Security Zone system within Internet Explorer will prevent a remote server from gaining local privileges on your computer. Using a flaw in the IFRAME system, a remote server can perform any action on your computer by accessing the Local Zone with you doing nothing more than opening the e-mail or viewing the Web page.

Although Microsoft has released security patches for the IFRAME issue, further flaws still exist in this and other Internet Explorer features. Spammers can obtain even more information about you by exploiting these flaws through specially constructed HTML e-mails.

Always make sure all your applications are up to date with security patches. Through the magic of COM objects, a security flaw in one product can easily affect others.