The company's security team issued an Monday around 1 p.m. ET acknowledging reports of in-the-wild attacks and providing more information about who is vulnerable.
Earlier today, security researchers at a pair of Danish firms had announced that thousands of legitimate Web sites hacked over the weekend were conducting on IE users with an exploit of a critical unpatched vulnerability in Windows' DirectShow, part of DirectX.
"A browse-and-get-owned attack vector exists," Chengyun Chu, of the Microsoft Security Response Center's engineering team, said in a this afternoon. "A user needs to be lured to navigate to a malicious Web site or a compromised legitimate Web site to be affected ... [but] no further user interaction is needed."
Users running IE6 or IE7 on Windows XP and Windows Server 2003 are vulnerable to the drive-bys attacks, Microsoft said. Vista and Server 2008 are not at risk, however, nor are people running IE8, Microsoft's newest browser.
Although Microsoft promised it would patch the bug, a company spokesman declined to say whether that patch would be ready by July 14, the next regularly-scheduled security update release day.