It seems that online criminals aren't waiting for zero-day exploits to be found, but are now making their own: someone broke into the sourcecode for SquirrelMail, an open-source webmail client, and
introduced a bug which allows arbitrary remote code execution. This was detected and rectified fairly quickly (mostly because the MD5s of the package were stored elsewhere), though anyone running one of the vulnerable version may want to check their server logs to make sure they're not hosting anything like
this.
This is probably just the tip of the iceberg; it's not unlikely that criminals (or, for that matter, intelligence agencies) have attempted to introduce security holes into other pieces of net-facing software.
Meanwhile, Windows Vista now not only chews up your CPU cycles on behalf of the RIAA/MPAA, but also includes a random-number generator believed to contain a NSA security hole.