Microsoft's goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins. [entire bulletin]
Now, in fairness to Microsoft, they say they have a fix ready, and are spending a week testing it. Testing's a good thing. SixApart could try it some time. But it still seems like a long time.
Of course, we were vulnerable for 400 times as long, so I guess I shouldn't complain.
For those that don't want to wait for Microsoft's fix, Ilfak Guilfanov, a programmer and blogger, has a fix that can be uninstalled.
Of course, there's always other options