KB 935423 and MS07-017 discuss the vulnerability and the associated patch. Reading through the SANS mitigation information, it appears that Vista users are not as bad off with this patch as I had previously thought because of Internet Explorer Protected Mode.

Note: If you've disabled IEPM on your Vista machines, re-enable it. Unless you have specific web sites and web site functtionality that requires it to be disabled, leaving it turned on will go far in protecting IE from web exploits.

SANS reports the following items on the vulnerability and where it is affected:

- Microsoft is reporting that users of Internet Explorer 7 with Protection Mode are protected from active exploitation.
- E-mails opened in plaintext will not show embedded ANI files. Note that HTML attachments can still be interpreted when separately clicked upon. [Thunderbird | Outlook & 2.0].
- Anti-virus detection is improving now, with F-Secure, CA, Kaspersky, Trend, Sophos, McAfee and Microsoft detecting malicious ANI files. One specific file was also discovered by a product triggering on a signature written for MS05-002, a similar vulnerability from 2005. This will not apply to most exploits in the wild.
- Microsoft has now confirmed that:
---- Outlook 2007 users are protected (as the tool uses Word to display HTML messages);
Users of Windows Mail on Vista are protected if they do not forward or reply to malicious e-mail;
---- Outlook Express users remain vulnerable even when reading e-mail as plaintext.
---- Eeye has released an unofficial patch that you may wish to consider

Computer Security Research has an interesting video of a system getting exploited at: http://www.avertlabs.com/research/blog/?p=233