More on the IE 0-day exploit

[Update 12-01: There's now a Trojan in the wild that exploits this vulnerability.  Information on Delf.DH can be found at Microsoft's site.  SANS ISC handler Scott Fendley suggests that we might see an out of cycle patch for this.]

[Update 11-29: Some AV vendors have updated their definitions to protect against this.  In order to be protected, the AV engine must scan the content before it is executed by the browser, otherwise it's just a warning that you were 0wn3d.] 

Microsoft has released a security advisory about yesterday's 0-day exploit.  The advisory can be found here.

In the advisory the only technical workaround presented involves disabling active scripting or causing the browser to prompt on active scripting.  As most web pages use Javascript, this doesn't really seem like a workable solution.  Checking Microsoft Update for security patches, for example, prompts 11 times about running active content. 

They also say in the advisory that the vulnerability was not reported responsibly to Microsoft before being widely publicized.  If true, the company and people responsible has done us all a big disservice.  Without a way to patch, and no usable workaround, we're left in a bad situation.