Although Microsoft had declined to confirm FireEye's findings earlier Monday, around 1 p.m. PT (4 p.m. ET), Microsoft announced that a fix would be issued Tuesday as part of its November slate of security updates.
"We have confirmed that this vulnerability is an issue already scheduled to be addressed in 'Bulletin 3,' which will be released as MS13-090," said Dustin Childs, a spokesman for the Microsoft Security Response Center (MSRC), in a post to the group's blog.
Bulletin 3 was one of eight that Microsoft announced last Thursday in its usual advance notification of a Patch Tuesday. That update, which will be rated "critical," will affect Windows XP, Vista, Windows 7, Windows 8 and Windows 8.1 on the client side, and Windows Server 2003, 2008, 2008 R2, 2012 and 2012 R2 on the server end.
In his blog post Monday afternoon, Childs said that the flaw involved an ActiveX control, Microsoft's browser plug-in technology. Childs also listed several steps customers could take to harden their PCs against attack until tomorrow's update arrives.
Microsoft did not suddenly accelerate its patch development and testing process to get the patch ready; instead, the company had already identified the flaw, perhaps with the help of other outside researchers and probably several weeks ago, and had crafted a fix.
The November slate of Microsoft's patches will ship Tuesday at around 10 a.m. PT (1 p.m. ET).
Sign up for CIO Asia eNewsletters.