On July 6, just hours after security companies reported that thousands of compromised sites were serving up exploits, Microsoft acknowledged the flaw in the ActiveX control that can be accessed using IE. The bug has been used by hackers since at least June 9.

Microsoft said it will issue a patch for the flaw on July 14.

The vulnerability "exposes the whole world and can be exploited through the firewall," said Roger Thompson, chief research officer at security software vendor AVG Technologies USA Inc. "That's better than Conficker, which mostly did its damage once it got inside a network."

that Microsoft had thought dire enough to fix outside its usual update schedule in October 2008. The worm exploded into prominence in January, when a variant infected millions of machines that remained unpatched.

Microsoft confirmed the latest flaw shortly after security researchers at Danish firms CSIS Security Group AS and Secunia said that thousands of hacks of legitimate Web sites over the July 4 weekend had exploited the bug.