Financial institutions with critical systems and cash on the line are reorganizing to deal with the closing gap between the hole and the patch. Case in point, the June 25th Russian attacks that turned IIS servers into delivery platforms for identity-thieving Trojan keystroke loggers. The attacks relied on two vulnerabilities in Internet Explorer that security researchers discovered for the first time weeks earlier on a malicious adware-implanting website. At the time of the attack, no patch was available. But the episode proved that the zero day concern is more than hyperbole.