SANS @Risk Downplays risk of javaprxy.dll exploit

SANS @RISK is a bulletin summarizing recent vulnerabilities and recommendations/actions taken by unnamed member companies. Their text related to the javaprxy.dll exploit follows. It sounds like one company has a default stance to disallow activeX from running in IE and others are just waiting on the real patch which will hopefully come out on Tuesday.

__

Description: An exploit for the Internet Explorer flaw discussed in last
week's issue of @RISK, has been publicly posted. The flaw was rated
"LOW" last week because the discoverer reported that Microsoft team
could not reproduce the flaw at that time. Microsoft has now issued an
advisory for this vulnerability. The advisory also lists workarounds on
how to disable the javaprxy.dll COM object and how to prevent this
object from running in Internet Explorer. Note that even if javaprxy.dll
is not installed on a user's machine, an attacker can force its download
via the "codebase" attribute while instantiating this object.

Council Site Actions: Several of the council sites are still reviewing
the workarounds from Microsoft and waiting to see if a specific patch
for this problem is released next Tuesday. One site commented that
their default configuration for IE included the recommended patches and
workarounds. Another site has a large number of vulnerable systems,
about 12,000. In some cases, the end users are manually visiting the
Microsoft Download Center to obtain the registry update that disables
javaprxy.dll. They have not yet made an attempt to roll out this
registry update on a widespread basis, and have not yet sent a general
announcement to Windows users about the vulnerability. At a minimum, the
great majority of their systems will obtain an update through the public
Windows Update site, or through their local SUS server, whenever
Microsoft happens to release a patch for this.