More details about the zero-day exploit for IE7 are starting to surface. The most shocking detail is that this is actually an older issue: eEye reports that this was first seen on 11/15. eEye says that no mitigation strategies currently exist; Symantec suggests that disabling Javascript will at the very least disable the currect attack vector:

Our advice for Windows users is as follows:
•    Update your AV and IPS software with the latest signatures
•    Run Internet Explorer with limited privileges
•    Enable DEP protection for browsers
•    Disable JavaScript in Internet Explorer
•    Avoid following links to un-trusted sites

iDefense provides a nice timeline and details about the value of a zero-day: only $15.000…

According to knownsec, earlier this year a rumor emerged in the Chinese underground about an IE7 vulnerability and in October it began to be trade privately. In November it got into underground black market and was traded for about $15K. Later in December, it emerged and people sold the exploit second or third hand for about $650. Finally, someone purchased those second hand exploits to develop and deploy a Chinese gaming Trojan.

On top of this issue, there are also reports about a Wordpad issue that is being investigated by Microsoft. All in all, I wouldn’t be too surprised if one ore more emergency patches are released before the end of the year.