In a blog posting, McAfee chief technology officer George Kurtz explained that researchers for the firm have seen references to the code on mailing lists and that it has been published on at least one web site.
An attacker could use the flaw to gain control over a user’s system by tricking them into visiting a rigged web page, he said.
“The public release of the exploit code increases the possibility of widespread attacks using the Internet Explorer vulnerability,” warned Kurtz.
“The now public computer code may help cybercriminals craft attacks that use the vulnerability to compromise Windows systems. Popular penetration testing tools are already being updated to include this exploit. This attack is especially deadly on older systems that are running XP and Internet Explorer 6.”
Microsoft issued a security advisory on Thursday admitting that Internet Explorer could be used to allow remote code execution, and said it may release an out-of-cycle patch for the flaw.
“At this time, we are aware of limited, targeted attacks attempting to use this vulnerability against Internet Explorer 6. We have not seen attacks against other versions of Internet Explorer. We will continue to monitor the threat environment and update this advisory if the situation changes,” noted the security update.
The flaw has been taken very seriously by organisations across the globe, with the German government recommending its citizens use an alternative browser to IE until the vulnerability is patched.