If you remember the month of browser bugs series of exploits back in July, there was a denial of service there that appears to have code execution after all. Coincidence or not, it got publicly released after the out of cycle Microsoft patch for MSIE.

So: No, surfing with MSIE is still not safe.

References

• CVE-2006-3730
• USCERT note 753044
• Microsoft security advisory 926043

Defenses

• Use an alternate browser (yeah, we sound like a broken record). But diversity really helps make the bad guys' job harder.
• Disable ActiveX (take care: windowsupdate needs it, so you need to trust those sites)
  
• Set the killbits:
  {844F4806-E8A8-11d2-9652-00C04FC30871} and {E5DF9D10-3B52-11D1-83E8-00A0C90DC849}
  
• Keep antivirus signatures up to date.
• Keep an eye out for a patch from Microsoft.
• ...

--
Swa Frantzen -- Section 66