The software giant expects to release the patch at 1 p.m. EST on Wednesday.
The vulnerability, announced last Wednesday, involves a data-binding issue and affects all supported versions of Microsoft's web browser. So far, however, Microsoft is only aware of in-the-wild attacks against IE7, said Christopher Budd, security program manager at Microsoft.
The company said it took immediate action to remedy the bug, updating its advisory on five different occasions to provide workaround guidance and ultimately pushing out a fix in just over a week.
"In response to the threat to customers and mindful of the challenges customers face deploying updates during this time of year, Microsoft immediately mobilized security engineering teams worldwide to develop, test and deliver a security update of appropriate quality for worldwide distribution in the unprecedented time of eight days," Budd said.
Microsoft malware analysts reported over the weekend that they were witnessing a significant ramp-up in websites hosting the exploit. Most of the sites were based overseas, particularly in Asia, but researchers estimated that some 0.2 percent of IE users worldwide had surfed to compromised web pages.
In an SC Magazine podcast recorded on Monday, researcher Fred Doyle of iSIGHT Partners called this vulnerability one of the "worst" he has seen, partly because of the readily available exploit code and ease of exploit construction.
This marks the second out-of-band security patch to be released by Redmond this year. In October, the company pushed out an emergency fix for a Windows Server Service vulnerability that was being leveraged to conduct targeted attacks.
Microsoft also released an out-of-band bulletin in April 2007 to correct potentially devastating flaws in the way Windows handles ANI files. In 2006, Microsoft issued an earlier-than-scheduled fix for a Windows Metafile (WMF) flaw.
Microsoft is planning webcasts at 4 p.m. EST Wednesday and Thursday so end-users can learn more about the latest patch.