Microsoft is pushing out an emergency out-of-cycle patch today to fix a critical bug in Internet Explorer that attackers have been exploiting for more than a week.
The advance warning came less than a week after Microsoft acknowledged that exploit code had gone public and was being used by hackers to hijack Windows PCs running IE.
Microsoft will deliver the out-of-cycle patch on Wednesday at 1 p.m. EST via its normal update mechanisms, including Windows Update, Microsoft Update and Windows Server Update Services (WSUS).
The update will be pegged "critical," the most serious ranking in Microsoft's four-step scoring system.
Even as it declared that it would release an emergency fix, Microsoft continued to downplay the threat. "At this time, we are aware only of attacks that attempt to use this vulnerability against Windows Internet Explorer 7," said company spokesman Christopher Budd in an email on Tuesday.
Initially, Microsoft and other security companies believed that only IE7 was vulnerable to attack, but on review, the company confirmed that all versions of its browser, including IE5.01, IE6 and IE8 Beta 2, contain the bug.
Last weekend, Microsoft researchers said that they had seen a "huge increase" in attacks, and that some were originating from legitimate Web sites. Another researcher added that about 6,000 infected sites were serving up exploits that target the IE vulnerability.
Also today, Microsoft confirmed that attacks could be launched through Outlook Express, a free email client bundled with Windows XP.
Because Outlook Express renders HTML-based messages using IE's engine, attackers could exploit the bug by getting users to open or view malicious messages.
This will be the second out-of-cycle patch from Microsoft in the last two months. In late October, it issued an emergency fix for a critical vulnerability in the Windows Server service; like IE's bug, that one had been actively exploited before Microsoft was able to come up with a patch.
All users of IE5, 6, and 7 are advised to install it. A separate patch is expected to be made available for users of IE8 Beta 2. Expect to see far more detail by midday Wednesday when Microsoft officially issues its security bulletin.