Yep. You don't have to click on anything to get infected. We've had a couple of our systems infected over the past couple of months. What scares me is:
1. We were running the latest version of Firefox
2. Acrobat Reader was fully patched (version 8, not 9. But, we have to leave the JS enabled)
3. Adobe Flash was up-to-date
4. Windows was fully patched
5. We have web filters
6. They got past 2 layers of IDS/IPS and 3 layers of antivirus scanners (different engines)
7. Users are NOT admins!!!
Since then, we have switched to a few new products and attempted to tighten things up even more, but these things have gotten incredibly complex. In one case, it was a triple attack. The Flash ad (0-day exploit) loaded an exploited PDF (0-day exploit) that took advantage of a 0-day IE exploit (keep in mind we use Firefox), which compromised the system. We have a nuke-from-orbit policy on any system we suspect has been infected, but what a waste of time!
It was hosted from a site in India. The user was on Yahoo's website (we've had 4 infections through Yahoo's ads). They did NOT click on anything!
Be very afraid!