I think you're well covered Dave, hehe. Generally speaking, ActiveX and javascript have always given exploits the keys to the kingdom when little else has, so keeping them under control is often enough. Although earlier this month an EOT exploit
against Internet Explorer was published, which didn't require ActiveX or JavaScript to trigger, which is about as severe as it gets. But no matter what, exploits come and go, and in my view sensible browsing habits are more important than any security software.
As far as this new KM exploit goes, at this stage it's only a proof of concept, and I don't know if separate code is required to affect each web browser. If separate code is required then perhaps KM won't be as likely to be targeted, assuming a KM user could even FIND a website using the exploit, unpatched and unprotected, with javascript enabled.
In general I'd recommend sandboxing all browsers with
Sandboxie if possible (particularly when letting non techies loose on the net), which is free for personal use but requires Windows 2000 or higher. I don't get to use it much but I think it's
one of the greatest programs ever made. Small, lightweight, simple and completely configurable, it basically contains anything you run inside it, from web browsing sessions, to software installations or even viruses, delete a sandbox afterward and it's like none of the above ever existed on your drive. Typical reviews
here and
here, with more
here at the official site.
Siria, Windows 98 has it's privileges, one of which is great online security. Long years of practical experience with it, without so much as a firewall or resident anti-virus / anti-malware, have made me feel invincible.