CERT has issued an advisory on this and asked everyone to patch their servers.
Vulnerabilities such as this could theoretically allow even remote attackers to misdirect customers to spoofed pages of their banks, especially if banks do not rely on SSL for all their content.
I would urge all banks to switch entirely to SSL for *all* the content as soon as possible.
Most users do not type "https" prior to the URL. To handle such cases, the home page should immediately be redirected to a secured page. See www.fidelity.com, www.bankofamerica.com, www.wellsfargo.com for examples of that redirection.
With the correct use of SSL by banks, customers must also be careful. A careless customer can continue to be vulnerable if he/she does not pay attention to the hostname in the URL and the use of https prefix, or ignores certificate warnings from their browser. If banks consistently use SSL, careful customers should check the URL to make sure it starts with https://xyz.your-bank-domain.com/... and should not ignore warnings from their browser.