Microsoft Security Bulletin MS06-067 - Cumulative Security Update for Internet Explorer (922760)

OK, this bulletin addresses 2 different vulnerabilities that in my opinion require 2 different responses. 
First there is a simple ActiveX control vulnerability (DirectAnimation / HTML+TIME 1.0) that is public and being exploited in actual attacks.  That means you should either immediately deploy the patch or use my free and handy KillBits administrative template to set the kill bit on the control via group policy.  DirectAnimation is used by sites that include HTML+TIME 1.0 content.  HTML+TIME (Timed Interactive Multimedia Extensions) adds timing and media synchronization support to HTML pages.  Disabling the control by setting the kill bit or deploying the patch which also disables sites that use HTML+TIME 1.0.  By now sites should have switched to HTML+TIME 2.0 which is not affected by this vulnerability or disabled by the patch or kill bit. 
Second, there is the vulnerability in how Internet Explorer 6 and below interprets HTML with certain layout combinations.  Malicious HTML content could allow an attacker to run arbitrary code on the victim’s computer.  This vulnerability is not public or being actively used in attacks so stability conscious organizations will want to test the patch before deploying. 
Provided you address the ActiveX vulnerability by setting it’s kill bit, you should have time to fully test the patch before deploying to address the HTML rendering vulnerability.

Get this valuable commentary each month as soon as Microsoft releases security updates!

Free log parser scripts, a clear explanation of Microsoft's latest security bulletin, helpful security tips, how-to's and more.