The flaw could allow an attacker to take control of a system through a specially crafted website, or by sending out spam email messages.
Microsoft originally planned to release the patch on 10 October, as part of its monthly patch release cycle. The vendor issues 'out-of-band' updates in rare cases if it helps to halt active attacks.
The VML vulnerability surfaced last week when a small group of websites in Russia started exploiting the unpatched vulnerability.
The abuse of the vulnerability became widespread over the weekend after the exploit was included in a malware toolkit known as 'WebAttacker'.
Users who have applied a third-party workaround need to undo those changes before the patch can be applied.
Security experts recommend that users apply the patch as soon as possible. The update can be obtained through the built-in auto-update feature in Windows or from the Microsoft Update website.
Facebook told by Brussels-based court to stop tracking non-users and to delete all data held on them
Supply chain and manufacturing experience could give Dyson an important edge
New VR Zone Portal arcades open in London and Tunbridge Wells
Systems-on-a-chip with integrated AI features could make voice and facial recognition