Close on the heels of Microsoft’s March ‘Patch Tuesday’ security bulletin release, which carried a addendum about ‘an un-patched zero-day vulnerability affecting Internet Explorer (IE),’ security vendors have started reporting more incidents of ‘in the wild’ exploitation of the new IE flaw.

Noting that limited attacks ‘in the wild’ are being reported as a result of the un-patched IE flaw, Symantec Security Response’s senior research manager Ben Greenbaum said in an e-mail that the limited attacks are an indication of the zero-day exploit being used as a targeted attack.

Greenbaum said: “In our tests, we found a fully-patched version of Internet Explorer 6 to be vulnerable to the exploit code. The exploit is carried out simply by visiting a Web page hosting the vulnerability. When the browser opens the page, the exploit causes the user's computer to download and execute another piece of malware, which is an Infostealer/Backdoor Trojan.”

With an un-patched IE vulnerability leveraged in January to launch the cyberattacks against Google and other companies warranting an ‘out-of-band’ patch by Microsoft, analysts are debating whether the company should issue a similar patch for the new flaw too.

About the possibility of an out-of-band patch, Greenbaum opines that “since attack attempts are taking place nonetheless, it's possible Microsoft may consider an out-of-band patch for this issue. Otherwise, we would expect to see this patched as part of a regular scheduled release sometime in the near future.”