From the ‘I told you so‘ files.
Microsoft’s own Exploitability Index pegged the flaw as a number 1 which means that the flaw can be replicated consistently and Microsoft expected an exploit to exist within 30 days.
So a little less than 30 days – but Microsoft’s Exploitability Index is right on the money.
In my professional opinion, despite what others may write or blog, this new exploit is NOT a Zero day, it is NOT at all like the flaw that Microsoft had to issue an out of cycle update for last year. This is a flaw that Microsoft knew about, they fixed it and they properly disclosed the risk in their exploitability index. The out of cycle update was a flaw which was out in the wild before there was any patch and there was no advance mitigation prior to vulnerability being in the wild (which is the definition of Zero Day in my book).
Bringing this story full circle, Microsoft originally announced the Exploitability Index at Black Hat Las Vegas last summer as a way to be more transparent about what it perceives to be risk. This new IE7 exploit in the wild proves that Microsoft does have a grip on risk – at least this time.
So when Microsoft pegs a vulnerability in one of their own advisories as being a 1 in the Exploitability Index, better make sure you update quickly as you have 30 days or less till the flaw will be attacked out in the wild.