AlienVault, said Blasco, had begun looking into the "watering hole" attacks stemming from the CFR website at the beginning of the week, and had alerted the Microsoft Security Response Center (MSRC) that it suspected IE harbored a zero-day vulnerability.
In a watering hole campaign, hackers identify their intended targets, even to the individual level, then scout out which websites they frequently visit. Attackers next compromise one or more of those sites, plant malware on them, and like a lion waits at a watering hole for unwary wildebeests, wait for unsuspecting users to surf there.
The CFR did not immediately reply to a request for comment on its site's current status.
Other researchers claimed that attacks using the IE vulnerability started as early as Dec. 7, and alleged that Chinese hackers were responsible for the CFR website hack.
In an email to Computerworld and in a follow-up blog Saturday, Microsoft said it is working on a patch for IE6, IE7 and IE8. The company did not set a timetable for an update's release, however.
Jonathan Ness and Cristian Craioveanu, engineers on Microsoft's security team, provided some details on the IE flaw in a separate post to the Security Research & Defense blog. "We're working around the clock on the full security update," Ness and Craioveanu wrote.
They also announced the availability of a "shim" that can protect IE6, IE7 and IE8 users if they're running the most up-to-date versions of those browsers.
Shim is a term used to describe an application compatibility workaround. Microsoft has applied shims in the past to help customers ward off active attacks against IE.
The shim will be used as the foundation for a soon-to-be-shipped "Fixit," Microsoft's name for the one-click workarounds it often publishes to automate processes, including security mitigations, that most users would feel uncomfortable doing on their own.
To apply the available shim, for instance, users must download the small files from the SRD blog, then enter one or more strings in Windows' Command Prompt.
This was the second year in a row that Microsoft has had to deal with an emergency update in the waning days of December.