Like the CFR attacks, those originating on the Department of Labor website were dubbed "watering hole" attacks, so named because the exploits were planted on sites frequented by the targeted users. Fairfax, Va.-based Invincea said last Friday that those targets were workers and officials in the U.S. Department of Energy involved in nuclear weapons research.
Since Friday, other security firms had said that the risk was greater than first believed, with up to nine other websites, including an unnamed European aerospace and defense contractor, similarly compromised to launch attacks. Irvine, Calif.-based CloudStrike said the attacks may have begun using the IE8 vulnerability as long ago as mid-March.
Storms praised Microsoft's rapid response to the threat and its ability to come up with a fix, test it on both IE8 and IE9 -- the latter has the vulnerable code but cannot be exploited -- and prepare the package as the company readied the rest of Patch Tuesday's updates. "That's a lot of work in just a week," said Storms, referring to the time since researchers identified the true nature of the vulnerability.
"I'm surprised. I thought they wouldn't get this out until the end of next week as an out-of-band," Storms said, using the term for an emergency security update.
The other IE update, Bulletin 1, will likely include fixes for the vulnerabilities revealed a month ago at the Pwn2Own hacking contest, said Storms. His prediction was a repeat of last month's, when he bet that the Pwn2Own bugs would be patched April 9.
"The Pwn2Own fixes have got to be in there, come on now," said Storms, saying Microsoft could legitimately be accused of dropping the ball if it doesn't patch the vulnerabilities this round.
At March's Pwn2Own contest, a team from the French firm Vupen exploited two bugs to hack IE10 on Windows 8 Pro, winning $100,000 for demonstrating the exploits and providing proof-of-concept attack code.
Google and Mozilla patched the vulnerabilities disclosed in their Chrome and Firefox within hours of the contest, leaving Microsoft as the laggard among the brought-down browsers.
The scant information included in Microsoft's advanced notification of next week's updates makes it almost certain that the Vupen vulnerabilities will be patched by Bulletin 2.
"The first stage vulnerability that we used at Pwn2Own against Windows 8 and Internet Explorer 10 affects all versions of IE from IE6 to IE10, all versions of Windows from XP to Windows 8, and also Surface Pro and Surface RT," said Chaouki Bekrar, Vupen's CEO and head of research, in an email reply to questions last month.