re: So, Microsoft...
You know this vulnerability is a buffer overflow, right? It has nothing to do with ActiveX or any sort of OS integration. It's simple code injection and execution, which can happen (and has happened) with any browser, even Firefox.
re: Steven Snape
That's what security zones are for. All Microsoft needs is a simpler UI around them, one that doesn't require going into the settings dialog to add a domain to a white/blacklist. Not that they would have prevented this bug (AFAIK it's in the parser, and exploitable without ActiveX or JavaScript), but they would be generally useful.