Posting on the Microsoft Security Response Center weblog early Monday morning, Stephen Toulouse, head of the response center, assured PC users that Redmond's research teams are working overtime on a patch for the flaw.
"I want to reiterate that the IE team has the update in process right now and if warranted we'll release that as soon as it's ready to protect customers (right now our testing plan has it ready in time for the April update release cycle)," he said, adding that users could scan their machines when visiting a Microsoft website.
So far, Microsoft is only aware of limited attacks, said Toulouse.
Pedro Bueno, posting on the SANS Institute's Internet Storm Center website, advised IE users that Microsoft's scan protects against only known malware with signatures.
SANS had also seen a substantial number of malicious sites take advantage of the flaw.
"Although they say that (they) are seeing only limited attacks, we have some reports of more than 100 sites (Saturday data) exploring this vulnerability to install bots, keyloggers...," said Bueno, who later updated his post to report more than 200 such malicious sites.
Vulnerability monitoring firm Secunia added a new IE flaw to its website today, this one caused by an error in .HTA applications. The flaw allows execution of an .HTA application on the user's system without user interaction, according to Secunia.
Integrated threat management firm Sophos echoed Microsoft's advice to practice web surfing in the absence of a patch.
"With no patches yet available to plug this hole, both home users and businesses need to exercise caution here," said Carole Theriault, senior security consultant at Sophos. "Users without any additional security measures, such as firewall and anti-virus software, and users who surf the web and open emails without care, are at much higher risk than those who practice safe computing."
