Attackers cheated two widely respected Microsoft security features to wage targeted attacks via a previously unknown flaw in Internet Explorer.

Microsoft says the vulnerability resides in IE6, IE7 and IE8 only, and that attacks were waged via IE8. After first issuing an alert on the bug over the weekend, Microsoft then released a temporary workaround that prevents the exploitation of the bug. The software giant is currently working on a patch for the flaw.

Security researchers point to cyberespionage attackers possibly out of China as the culprits in the attacks, which targeted the websites of U.S.-based Council on Foreign Policy, as well as Capstone Turbine. But a new Metasploit module using the bug makes attacks more likely against multiple targets, they say.