That news came on the heels of warnings by the information security agencies of the French and German governments, which recommended that IE users switch to an alternate browser, such as Firefox, Chrome, Safari, or Opera, until Microsoft fixes the flaw.
[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and Security Central newsletter, both from InfoWorld | Grimes also explains how to stop data leaks in an enlightening 30-minute webcast, Data Loss Prevention, which covers the tools and techniques used by experienced security pros. ]
In a Monday alert Websense said it identified "limited public use" of the unpatched IE vulnerability in drive-by attacks against users who strayed onto malicious Web sites. The site Websense cited in its warned has since been yanked from its hosting server.
According to Websense, the attack code it spotted is the same as the exploit that went public last week. That code was quickly turned into an exploit module for Metasploit, the open-source penetration testing framework, by HD Moore, the creator of Metasploit and chief security officer for security company Rapid7.
Websense also said its researchers were working with Microsoft's to identify sites serving up the exploit.
On Sunday, however, Microsoft continued to downplay the threat. In a post to the Microsoft Security Research Center (MSRC) blog, George Stathakopoulos, general manager of the Trustworthy Computing Security group, repeated earlier claims by the company that it had only seen a "very limited number of targeted attacks against a small subset of corporations."
Stathakopoulos stressed that the only attacks detected thus far have been against the eight-year-old IE6. That version of Microsoft's browser lacks security measures, including DEP (data execution prevention), that are available in IE7 and IE8. For that reason, Stathakopoulos urged users of IE6 or IE7 -- the latter is potentially vulnerable to attack when run on Windows XP -- to upgrade to IE8.
However, some security organizations don't believe that is enough, and have instead recommended that users switch to another browser until Microsoft issues a patch. Both the German and French government computer security agencies have urged IE users to run a different browser.