While Wee continued Wednesday to say that Microsoft was aware of only a "small number of customers" victimized by the newest IE zero-day, the company typically unleashes an emergency update only when it believes the threat is substantial and when the volume of attacks is quickly increasing.
IE6, IE7, IE8, and IE9 all are vulnerable to attack, Microsoft confirmed in an advance notice of the impending patch. Only IE10, the version bundled with Windows 8, does not contain the bug. Those browsers, which collectively run on Windows XP, Vista and Windows 7, accounted for 53 percent of those used last month worldwide, according to metrics company Net Applications.
One security researcher predicted at least part of Microsoft's news several hours before the Redmond, Wash., software maker announced its next move. "I think we'll see the Fixit today and [a] patch tomorrow," said Andrew Storms, director of security operations at nCircle Security, during a Wednesday instant message conversation. "They've been communicating something every day so far this week," Storms said.
On Tuesday, Microsoft said it would issue a Fixit tool "in the next few days."
Microsoft will release the emergency update at approximately 1 p.m. ET Friday via the Microsoft Update and Windows Update services, as well as through WSUS (Windows Server Update Services), the de facto corporate patch deployment tool.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is firstname.lastname@example.org.
Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.