That the vulnerability is browser-exploitable is the bad news: attacks can be surfed in to vulnerable systems by innocent users. The good news is that it's exploitable only through IE6 and IE7; users who've upgraded to IE8 are immune, as are Vista and Windows7 users.
But it's the fact that this is an unpatched vulnerability the gives the most pause and raises the largest alarms.
Conficker made its way into as many as 12 million machines despite a long-available patch for the vulnerability it exploited. The problem -- and the opportunity for the crooks -- was the lax (to say the least) approach to patching on those machines.
The new exploit is unpatched as yet, a fact that may more than outweigh the fact that it affects relatively elderly code.
Microsoft promises a patch soon, but until then a workaround is available from Microsoft here. The workaround disables the Video ActiveX control in question.
Don't put this one off -- if you or any of your employees are running Windows XP or Windows Server 2003, implement the workaround now.
Microsoft has labeled this vulnerability critical, which of course it is. And, of course, which it has been for as long as Microsoft has known about and not fixed it.