Apparently the method used in compromising the Google emails last week (termed Aurora) was traced to an as yet unknown security hole in Internet Explorer. Microsoft claims that the security flaw is limited to Internet Explorer 6 and Windows XP only and very unlikely under Windows Vista or Windows 7, however experts, including McAfee disagree with Microsoft’s threat assessment.
Even if you take Microsoft’s claim at face value, XP must be SP3 or later and Vista SP1, assuming the user didn’t disable Data Execution Prevention (DEP). Furthermore, DEP is not a panacea against memory buffer overflow attcks, as stated here:
McAfee has so far explored only one of the attach vectors exploited in the Aurora attack. There may be, and likely are, more which we don’t know about, yet, and in fact those vectors may extend to Firefox, Opera and Chrome. We just don’t know yet.
Microsoft will likely come up with an out-of-band patch shortly. Until then, I am recommending using Firefox (all patched up, of course).