Well, we've all talked about the zero-day exploit for a long time. Seems it has arrived According to an advisory issued by Microsoft last night and report at eWEEK this morning, a newly discovered vulnerability in Internet Explorer has already been exploited and code is in the wild. This is serious enough that Microsoft has already released a workaround and seems to be leaning toward an out-of-cycle patch as soon as it's been developed.

From the eWEEK report:

"Microsoft late Thursday issued an advisory with pre-patch workarounds to counter the public release of a zero-day exploit targeting users of its Internet Explorer browser.

The release of the advisory comes less than 24 hours after the FrSIRT (French Security Incident Response Team) published a proof-of-concept exploit that could be used by malicious hackers to target IE users.

There is no patch available for the vulnerability and, because exploit code has already been released, incident handlers at the SANS ISC (Internet Storm Center) believe a widespread attack is very likely.

The software giant has also activated an RSS feed for its security advisories to help customers keep track of threat warnings."

Subscribed.

UPDATE: SANS has posted both a command-line and GUI tool to set a "kill bit" to close the vulnerability. The SANS page warns that this workaround t may impact some legitimate ActiveX controls that call the affected .dll file. The change is easily reversible.