"They will go out of band on this," asserted Miller. "Windows XP users can't get to IE9, and there are a lot still running XP. I think they'll [have a patch] as soon as next week, and no later than two weeks."
IE9 and IE10 do not contain the bug, which according to Symantec, was used by the Elderwood group for cyber espionage. But because IE9 won't run on Windows XP, those customers are stuck with a vulnerable browser. Data from Web analytics company Net Applications puts XP's online usage share at 39 percent in December, meaning nearly four out of every 10 personal computer users runs the aged OS.
January's security updates can be downloaded and installed through the Microsoft Update and Windows Update services, as well as via WSUS (Windows Server Update Services), the de facto patching mechanism for businesses.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+, or subscribe to Gregg's RSS feed. His e-mail address is email@example.com. See more articles by Gregg Keizer.
Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.