"For the record ... EMET can also be bypassed to exploit CVE-2012-4792," said Exodus on its Twitter feed on Tuesday, using the IE bug's Common Vulnerabilities and Exposure's identifier.
Microsoft's next Patch Tuesday is Feb. 19, five weeks away. But Microsoft won't wait, said Jason Miller, VMware's manager of research and development, in a Tuesday interview. "They will go out of band on this," Miller said. "I think they'll [have a patch] as soon as next week, and no later than two weeks."
Beyond the upswing in attacks and Exodus Intelligence's finding, said Miller, another factor in play is that while Microsoft has urged customers to upgrade to IE9 or IE10 if possible -- neither of those newer editions contain the vulnerability -- Windows XP users can go no further than IE8, the 2009 edition that is the last in the line for the 11-year-old OS.
"Because XP can't get to IE9, I think Microsoft will go out of band," Miller said.
Emergency updates have become rare for Microsoft. The company has issued only two since September 2010.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is email@example.com.
Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.