Microsoft will issue an emergency update to patch a vulnerability in Internet Explorer in the next two weeks to fix a flaw criminals have been using for more than a month, researchers said.

From Computerworld:

When Microsoft acknowledged the IE zero-day vulnerability Dec. 29, several security firms said that the website of the Council on Foreign Relations (CFR), a notable U.S. foreign policy think tank, was hosting attack code targeting IE8. Since then, other domains have been found conducting similar drive-bys, including one maintained by an Iranian oil company.

In lieu of a patch, Microsoft issued one of its automated "Fixit" tools to block attacks, and also recommended that customers deploy the Enhanced Mitigation Experience Toolkit (EMET), a separate anti-exploit utility.

Researchers: Microsoft will pull trigger on emergency IE patch