Other security researchers either declined to comment or assumed Dullien is on the right track.

"I don't think I can comment specifically, but I am prepared to say that whenever Microsoft goes to the trouble of doing an out-of-band [update], people should probably pay attention, and patch as soon as they can," said Roger Thompson, chief research officer at security software vendor AVG Technologies, via instant messaging on Saturday. Two weeks ago, Thompson warned that the ActiveX vulnerability was a prime candidate for another .

"If what [Dullien] said on his blog is even remotely correct, and if his call from Microsoft is credible, then consumers and Microsoft partners have got some serious work ahead," warned Andrew Storms, director of security operations at nCircle Network Security, in an e-mail Sunday.

Calling the out-of-band updates a "stand-up-and-pay-attention moment," Storms also recommended that businesses test the patches thoroughly before they're deployed. "Enterprises may want to wait a few days and see if their other software vendors have to say," he urged. "Reason for the extra caution? It appears that some companies may be using the ill-fated Microsoft function and when patched, [that] may cause some unexpected consequences."

Storms offered up another reason for Microsoft's Tuesday patching. "Many of the same security professionals will be in Vegas for Black Hat, which in itself may have jump-started Microsoft's emergency patch release," he said. Black Hat, which kicked off Saturday, runs through Thursday. Dullien, as Halvar Flake, was slated to conduct a training session at Black Hat, according to the .