What you can do
As an Internet user, first test to see if your favorite sites are affected by this vulnurability. Perhaps your biggest defense against this vulnerability is to disable scripting altogether. Even with some of the recent browser security patches, you will still be vulnerable to malicious code as long as you have JavaScript and ActiveX enabled. Unfortunately, we don't see this as an option for too many people since scripting has become synonymous with browsing the Internet.
Something else you might try with Internet Explorer is disabling script execution for all sites except those that you have personally tested. For example, KeyLabs tests have found that Amazon is immune to this exploit, so you can put Amazon in your trusted sites list.
What Web designers must do
For Web developers, the solution is clear. You MUST validate user input. When building a Web site, validating user input is sometimes the last thing you think about. Two quick methods for eliminating this problem from your Web site include 1) limiting the size of your user input fields, and 2) permit only letters and numbers (no special characters that are common in JavaScript tags).
O'Reilly has a site with good information on protecting your Web site. Their World Wide Web Security FAQ contains practical steps on protecting your site against this kind of attack.
This new exploit supports the notion that maybe scripting shouldn't have free reign of your system after all. Before, we were just so excited with all the cool things JavaScript and ActiveX could do that we never stopped to evaluate the danger of this new technology.
Regardless of what you decide to do, one thing is clear; this vulnerability has just opened up a source of liability for Web site owners. If they can't ensure the security of their customers' personal information, at best they will lose customers. At worst, they will get sued for violation of trust.
