Based on past practice, Microsoft's Fixit workaround probably uses the Application Compatibility Toolkit to modify the core library of IE -- a DLL (dynamic link library) named "Mshtml.dll" that contains the browser's rendering engine -- in memory each time IE runs. The shim does not quash the bug, but instead makes the browser immune to the attacks Microsoft's seen in the wild thus far.
Users can also temporarily ditch IE for an alternate browser, such as Google's Chrome or Mozilla's Firefox, to stay safe until Microsoft comes up with a permanent fix.
Microsoft today declined say when it plans to patch the IE vulnerability. But because the next regularly-scheduled Patch Tuesday is three weeks away, it's possible the Redmond, Wash. company's security team will deliver a so-called "out-of-band" update before Oct. 9.
Out-of-band updates from Microsoft are rare: The last one it shipped was MS13-008, an the emergency patch issued Jan. 14 that plugged a hole in IE6, IE7 and IE8 that had been exploited since early December 2012.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is email@example.com.
Read more about endpoint security in Computerworld's Endpoint Security Topic Center.