I don't think we will endorse this patch. There is no source code available, so we are not able to validate the patch.
Writing a cross-platform worm is difficult because it limits you to functions that are available on both operating systems. You have to also code the virus in assembly to make it work without relying on any OS-specific function.
The vulnerability itself has been known about for a while, but it was only a problem for a denial-of-service attack that would sometimes cause IE to crash. Up until now, no one knew how to mark the code and find it in memory to execute a remote code attack.