Recommendations

Run all client software as a non-privileged user with minimal access rights.
All non-administrative tasks such as reading e-mail and browsing the web should be performed as an unprivileged user with minimal access rights. This will reduce the consequences of successful exploitation.
 
Do not follow links provided by unknown or untrusted sources.
This issue may be exploited from a malicious web page. Users should be wary of visiting websites of questionable integrity or following links provided by unfamiliar or suspicious sources.
 
Do not accept communications that originate from unknown or untrusted sources.
This issue may potentially be exploited via HTML e-mail. Disabling support for HTML e-mail in the mail client may limit exposure to this attack vector. HTML e-mail may also be filtered using other means.

-- Symantec Security Advisory

An open letter to Symantec

On all your alerts you write:

"All non-administrative tasks such as reading e-mail and browsing the web should be performed as an unprivileged user with minimal access rights. This will reduce the consequences of successful exploitation."

Given the difficulty of effectively locking down Windows, it's hard to create a real "non-administrative user"... there are so many places privilege escalation can occur that you pretty much have to treat all local users as privileged on the local box.

You have to stop the attack earlier than that, by avoiding the use of applications that have any mechanism to run arbitrary code with even local user rights. Since the MS HTML control inherently exposes applications that use it to a mix of trusted and untrusted data without any clean distinction between the two, a far more vital recommendation is to avoid exposing any code that uses it to untrusted data.

So...

When are you going to start recommending that people use a browser other than Internet Explorer or mail software other than Outlook? There is other software that uses the MS HTML control, but these are the most common and most widely abused examples. There are many other fine web browsers that run under Windows, such as Mozilla (and its cousins) and Opera, and a great variety of free and commercial mail packages, and if people switched when they had the chance it would really cut down on the distribution of viruses.

IO
Lynx-enhanced by <peter at taronga.com> (Peter da Silva)