Yes , there’s an IE Zero Day but it’s not time to panic.
Take a deep breath and remember that we’ve seen a lot of zero-days recently in Adobe and Java. It’s been quite a while since we’ve seen one with Internet Explorer, but this too will pass.
The bad news is that the bug affects all versions of IE except IE10. The Metasploit exploit requires the presence of Java on the target system, so systems without Java are safe against Metasploit-based exploits for now. This seems like a very a good time to re-evaluate how many of your systems really need to run Java.
Unfortunately the mitigations provided by Microsoft will not be palatable for many companies.
Setting both Internet and local security zones to ‘high’ to block ActiveX controls and Active Scripting will probably disable valid business applications.
The other mitigation option Microsoft suggests is using their Enhanced Migration Experience Toolkit (EMET). EMET is a great tool, but at this point, it’s not clear that EMET blocks every attack vector. If you haven’t already deployed this toolkit, it’s a great time to think about it, but not a great time to do so in a hurry.
In fact, it’s never a good idea to deploy a new tool without adequate testing, so while this event might be a great catalyst to start the EMET deployment process, IT security people shouldn’t let the stress of the situation affect their judgment or planning.
IE10 isn’t affected by this bug, and until Microsoft provides some insight, we don’t know why. The most likely answer is that the bug was already found and fixed in IE10, but Microsoft hasn't back-ported it to earlier versions. If this is the case, we can expect a fix for this bug pretty quick. My money is on an out-of-band patch before the next patch Tuesday on Oct. 9.
Here’s the bottom line: I repeat, don’t panic. The ugly truth is that we’ve all been here before and the sad truth is that we’ll all be here again. There’s probably always a zero-day available somewhere in the world for the software on every system.