OK, so we now know that hackers have a key that is signed by Verisign. Has that key been revoked? Folks, especially windows folks, are pretty screwed until they can get that revocation out. This is bad for Linux and OSX users as well, because I would imagine that most folks are going to trust that cert, which we now know is in malicious hands.
Just as important: How many of the OSes and applications out there that trust signed keys go to the extra trouble of checking the revocation list also?
I can tell you that not all of them bother with that additional step.
And for those unfortunate users, that compromised key is still as good as gold. Except of course it's not...
If you have an internal corporate CA, you could turn off acceptance of external code signing certificates and only trust those issued by your internal CA. It would make installation of new third-party software difficult, but it would protect your network until the CRLs and OCSPs can be updated.