IE7, IE8 and IE9 users who browse to websites infected with the exploit will automatically be hijacked, Moore confirmed. That kind of attack, where the user does nothing but surf to a malicious URL, is usually dubbed a "drive-by."
Rapid7 has not been able to trace the timeline of the vulnerability, including when it was discovered and how long it has been exploited.
According to a statement from Yunsun Lee, director of Microsoft's Trustworthy Computing group, the company will "take the necessary steps to help protect customers" after it concludes its probe.
The next Patch Tuesday is scheduled for Oct. 9, more than three weeks from today. But Microsoft has the option of providing a patch before then.
"I think a lot will depend on what they have to say in their alert when it's issued," said Andrew Storms, director of security operations at nCircle Security, of a possible emergency fix. "Right now, it sure looks like a bad bug on the loose, but nobody is saying to what degree IE's configuration settings can provide mitigation factors."
If Microsoft follows past zero-day reaction practice, it will issue a security advisory today or tomorrow with more information.
Microsoft has been reluctant to go out-of-band, however; the last time it issued an emergency patch was in December 2011. That update was the sole out-of-band patch in the last two years.
A Metasploit exploit module has been published for testing purposes, Moore confirmed. "It took [researchers] only four or five hours to come up with it," he said.
Moore stuck by Rapid7's recommendation to stop using Internet Explorer. "IE has taken major steps to improve security, but it's still the weakest link," Moore said. He also noted that avoiding the browser might not be enough, as many applications rely on the IE engine to render HTML.
What surprised him, however, was the fact that the same Web server has hosted multiple zero days. "It's exposed one zero-day [vulnerability], then another," he said.
Sign up for Computerworld eNewsletters.