The hackers took advantage of the bug to reroute users to a malicious site, which in turn downloads and launches a multiexploit hacker tool kit.

Two days after disclosing the bug, Microsoft admitted that members of IBM's X-Force threat research team had first reported the vulnerability to it sometime in 2008.

The X-Force researchers had uncovered the flaw in late 2007, and in December of that year reserved a number in the Common Vulnerabilities and Exposures list of publicly known information security vulnerabilities.

One of the researchers, Alex Wheeler, now manager of 3Com Corp.'s TippingPoint DVLabs, declined to say exactly when the flaw was discovered, citing a nondisclosure agreement he had signed with his former employer.

A Microsoft spokesman didn't say why the flaw wasn't patched earlier.