"The IE7 Zero-Day is really nasty. No patch. Mitigation options are not good; some are draconian. Dig in folks; this could be a rough ride," said Howard.
The exploit first appeared in China last Tuesday and has quickly morphed into several variants, according to Howard. iDefense has given the exploit a "high" threat rating since it had worked against fully patched systems, following Microsoft's December Patch Tuesday.
The Chinese "knownsec" security team released an advisory on Tuesday in which it admitted that the exploit code was leaked by one of its members, according to Howard.
"According to their notes, they had mistakenly assumed this issue to be for an already patched vulnerability," Howard said.
Microsoft said it was only aware of "limited attacks that attempt to use this vulnerability". It has advised to apply the workarounds listed on its site.
While Microsoft has played down the threat, Stephan Chenette, manager of security research at Websense's US headquarters, who had also been tracking the exploit's passage across the globe, said the exploit was both critical and was expected to lead to a "larger attack" in the coming weeks.
"This exploit is quite critical. There's no user interaction required; all the user has to do is visit a malicious website," Chenette told ZDNet.com.au.
The servers hosting the exploit are all located in China and are based on the same networks, Chenette said.
"It looks to be one or a few different groups using this, but it's expected to increase because it was released on Milw0rm," he said. Milw0rm is a website where proof of concept exploits are published; however, the site is used by both security teams and attackers.
"It also helps the attackers create another variation of the attack," he said. "And that's what we've seen: a lot of copy and paste code from the proof of concept."
"Because of how simple this attack is — it's on IE7 and very easy to exploit — we're predicting that we're going to see a larger attack in the next few weeks. Especially because of the timely attack — it happened only one day before Microsoft's patch Tuesday."
Due to the seriousness of the exploit, Microsoft will likely be forced to issue a patch outside its usual Patch Tuesday cycle, said Chenette.
"There's no way that users can wait one more month unpatched without any other protection mechanisms," he said. "Patch Tuesday has always been a point of attack for Microsoft and any company that has a patch cycle."