Over at DDJ.com, they're reporting that “New Hacker Toolkit Cloaks Browser Exploits” No real surprise there – polymorphic browser exploits can avoid primitive signature detection techniques that just look for “DO BadCode()” in the payload. Code that runs in a browser has to run in a safer environment, like the “security sandbox” design of Java. ActiveX controls are just Windows executables that run with the permissions of the user. That won't work, no matter how many “digital signatures” or “Are you sure” dialogs MS layers on top of their insecure design. JavaScript isn't much better with the potential for downloadable JavaScript network scanners implying that every device on the network must be firewalled from every other.
There are no easy solutions in sight. Run with the least privileges practical. Firewall off unneeded services. Scan for unacceptable activity in memory and on disk. Turn off runtime capability in the browser except when needed – Flash, ActiveX, JavaScript and Java should only run with permission of the user.