In the Register article about the IE patch, which claimed it didn't really fix the problem, they posted a link to a site supposedly containing information on the exploit. After patchign my XP Pro/IE 6 system with the latest updates, I visited that site. I was presented with tons of source code and explanations of how the exploit works, followed by a series of links which were supposed to use the exploit to execute notepad, paint, and some other programs on my compute. ALL FAILED with security errors or undefined object references.
I'm not saying there aren't more or other holes, in fact they will ALWAYS be with us until we strip out any semblence of functionality and lock down every little thing. And even then... I haven't been infected with any email viruses, and I use Outlook and Exchange Server. Why? Because I know not to open certain things. Inever got infected with Code Red, yet I run IIS, and my logs showed attempts from at least 4 different sites. Why? Because I had long ago applied the patch to protect my system. But I'm not everyone.
It's a catch-22, and I know people will deny it up and down, but if MS stripped out all the functioanlity in Outlook, Office, IE, etc. that opens these holes in improperly configured systems, the VERY SAME people who yell and scream that this stuff isn't necessary will start jumping upa nd down wondering why they can't have this or that function. Or switch en masse to whatever product offers the now-missing features.
The latest SQL worm is a good example. Is it MSFT's fault? Absolutely NOT! Why? Because what COMPETENT systam administrator leaves high level administrator accounts without a password? And what's even funnier about this one, one of our vertical markets is independent insurance agencies. One of the most popular agency automation systems is AMS for Windows, which uses SQL Server 7.0 on the backend. Their configuration REQUIRES the sa account to have a blank password! They deny support if you alter any settings on the server, which you purchase from them and they ship pre-configured for each agency.