MD5 still has not been broken. Certain aspect of MD5 have been broken, but as a one-way hash function it remains unbroken. In particular, if I (a non-hostile party) pick a file to hash and publish that hash with or without the original file, a hostile attacker still cannot find the original file (nor any other stream) to generate that same hash.
What has been broken are various scenarios where the attack controls the source file to be hashed. That means that as a digital signature it's no good anymore.
I think it's important to emphasize this because in all the news about weaknesses and attacks, people sometimes get the idea that the sky is falling, and that it's hopeless to really stay secure. That kind of thinking quickly leads in security through obscurity. In fact, the sky is most certainly not falling. Even though many attacks are successful in improving on brute force, even ancient deprecated stuff like MD5 has not been fully broken; indeed it's most critical feature remains essentially untouched (according to wikipedia, preimage attacks have managed to reduce the complexity from 2^128 to 2^123.5 or in other words: nobody cares). And even as a signature, if you had picked MD5 and used MD5 before the attack was developed, you can be reasonably confident that that signature remains valid today.
So yes: don't develop new software using MD5, and retire software relying on MD5 for signatures. And for other applications, if you can easily migrate away from MD5 (and really, sha1 too) - do so! It's easier to reason about security if you don't need to sweat details like this. But if you have an existing application that can't easily be migrated, then don't panic either, just be aware that you need to more carefully consider what it means to have a matching hash (in short it's either the same file, or a different file the original author wanted to appear similar).
What has been broken are various scenarios where the attack controls the source file to be hashed. That means that as a digital signature it's no good anymore.
I think it's important to emphasize this because in all the news about weaknesses and attacks, people sometimes get the idea that the sky is falling, and that it's hopeless to really stay secure. That kind of thinking quickly leads in security through obscurity. In fact, the sky is most certainly not falling. Even though many attacks are successful in improving on brute force, even ancient deprecated stuff like MD5 has not been fully broken; indeed it's most critical feature remains essentially untouched (according to wikipedia, preimage attacks have managed to reduce the complexity from 2^128 to 2^123.5 or in other words: nobody cares). And even as a signature, if you had picked MD5 and used MD5 before the attack was developed, you can be reasonably confident that that signature remains valid today.
So yes: don't develop new software using MD5, and retire software relying on MD5 for signatures. And for other applications, if you can easily migrate away from MD5 (and really, sha1 too) - do so! It's easier to reason about security if you don't need to sweat details like this. But if you have an existing application that can't easily be migrated, then don't panic either, just be aware that you need to more carefully consider what it means to have a matching hash (in short it's either the same file, or a different file the original author wanted to appear similar).