To add fuel to that speculation, Brian Krebs of the Washington Post quoted Dullien last week as saying Microsoft had called and asked him not to comment further on the vulnerability.
Neither Dullien or Elser responded to requests for comment on Sunday.
Other security researchers either declined to comment or assumed Dullien is on the right track.
"I don't think I can comment specifically, but I am prepared to say that whenever Microsoft goes to the trouble of doing an out-of-band [update], people should probably pay attention, and patch as soon as they can," said Roger Thompson, chief research officer at security software vendor AVG Technologies, via instant messaging on Saturday. Two weeks ago, Thompson warned that the ActiveX vulnerability was a prime candidate for another Conficker-scale attack.
"If what [Dullien] said on his blog is even remotely correct, and if his call from Microsoft is credible, then consumers and Microsoft partners have got some serious work ahead," warned Andrew Storms, director of security operations at nCircle Network Security, in an e-mail Sunday.
Calling the out-of-band updates a "stand-up-and-pay-attention moment," Storms also recommended that businesses test the patches thoroughly before they're deployed. "Enterprises may want to wait a few days and see if their other software vendors have to say," he urged. "Reason for the extra caution? It appears that some companies may be using the ill-fated Microsoft function and when patched, [that] may cause some unexpected consequences."
Storms offered up another reason for Microsoft's Tuesday patching. "Many of the same security professionals will be in Vegas for Black Hat, which in itself may have jump-started Microsoft's emergency patch release," he said. Black Hat, which kicked off Saturday, runs through Thursday. Dullien, as Halvar Flake, was slated to conduct a training session at Black Hat, according to the conference's schedule.
Thompson seconded Storms. "I think the next big thing to watch for is to see what comes out at Black Hat," he said. "I truly don't know of anything, but I'm fairly sure that hackers are hacking."
"More to come on Tuesday when we get the patches, obviously," concluded Storms.
Microsoft will issue the out-of-band updates Tuesday, July 28, via its usual Windows Update and Windows Server Update Services (WSUS) mechanisms. If it releases them on the same timetable as its monthly update, they should be available around 1 p.m. ET.
Later in the day -- at both 4 p.m. and 7 p.m. ET -- Microsoft will host a webcast to take customer questions. Typically, Microsoft hosts such webcasts the day after it delivers patches.