How long does Microsoft now already about these bugs?
As far as I know, Microsoft learned about the bugs in IE that are being exploited last week, when Jelmer announced them to Bugtraq.
For whatever reason, Jelmer decided to announce the vulnerabilities publicly first, before contacting Microsoft, which puts further stress on the fix process.
Over the past several vulnerabilities (Sasser, MS-Blaster, etc), we've seen a steadily decreasing period of time from the public announcement of the vulnerability to the exploitation of the vulnerability.
It took 18 months for the vulnerability used in SQL Slammer to be exploited in the wild. It took about 1 week for the vulnerability used in MS-Blaster/Sasser to be exploited.
And it took Jelmer's vulnerabilities about a week.
If someone contacts Microsoft FIRST with the vulnerability, without going public, it gives Microsoft a head start on the hackers to start the fix process.
This can be the difference between an exploit that devastates the internet and one that is a major annoyance. Fortunately, for this one, it was neither.
Btw, Jelmer's vulnerability was a way of crafting a URL so that it believes that that the target of the URL is in the Local Computer zone, and not the internet zone. As a result, since IE believed that the script was in the local computer zone, it was allowed
to do much more than normally allowed.
The scary thing about this exploit is not this particular exploit. It's the ones that are going to be coming in the future that use it. This particular exploit was fairly ham-handed, it required defacement of vulnerable web sites. I believe that there are
other ways this can be exploited that don't require hosting on external web sites.
The good news (as others above have said) is that the vulnerability was identified internally during the XP SP2 review process. Which means that we probably know how destabilizing the fix will be.
On another related tact...
The security response team is on the 3rd floor of my building. When an incident occurs, they shut down all the conference rooms on the floor, and effectively turn them into C&C centers. They effectively live in the room from the start of an incident until
it's over. This is a REALLY big deal.