A 0-day vulnerability was publicly announced yesterday (Ref. Lexsi 11939), in a Microsoft DirectX DirectShow ActiveX control. It can be instantiated in the browser, and by passing specially crafted parameters, a buffer overflow can occur. You know what happens next: shellcode execution, malware downloading, information theft...

The impacted control has a CLSID of {0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}, you just have to set a traditional "kill-bit" to forbid its instantiation to avoid exploitation.

This is not the first time an unpatched vulnerability is exploited in the wild to distribute trojans and other malicious worms.
However, the bulletin issued by Microsoft today is a bit surprising. The CVE identifier affected to this vulnerability is CVE-2008-0015. You said 2008, didn't you? The vulnerability seems to have been discovered in late 2007 by the ISS X-Force team, and certainly reported to Microsoft soon after. We have good reason to wonder why there has been no fix -or at least a workaround to block the vulnerable ActiveX, as Microsoft regularly do with its "Update Rollup for ActiveX Kill Bits"- for almost one year and a half ...
What had to happen happened, and researchers with less noble intentions have discovered the vulnerability on their own side.

About the mitigations, Snort rules have been released against the exploitation code used in the wild, as well as a list of domains known to host the exploitation code, maintained by the ISC.