There are security concerns, as well, he said. "We imagine a worst-case scenario where a third-party patch fixes a Microsoft flaw but injects a rootkit type application that could do almost any malicious action the writer wanted," he said.

The SANS Internet Storm Center in Bethesda, Md., Tuesday posted a note on its site advising users not to apply eEye's interim patch because work-arounds, such as turning off Active Scripting and using a different browser, appear to be effective.

'Some specific cases may require you to apply the third-party patch,' SANS said. One example is when a company is required to use several third-party Web sites that function only with Internet Explorer and Active Scripting turned on, SANS said. In such cases, companies need to test the interim patch and consider contacting Microsoft before deploying it.

'We do suspect that Microsoft will still release an early patch, given the imminent danger to its customers from this flaw,' SANS said.

PatchLink Corp., a Scottsdale, Ariz.-based vendor, said that in a survey of 250 IT managers that it conducted in February, more than 60 percent said they would like software vendors to release patches immediately when exploits are in the wild. With zero-day exploits on the rise, the release and deployment of third-party patches is becoming more accepted -- though many IT professionals are still skeptical of the approach, the survey showed.