Hackers are racing to build reliable exploits to use against a zero-day vulnerability in Internet Explorer (IE), putting pressure on Microsoft to push out a patch before attacks go public, researchers said today.

Yesterday, Microsoft first confirmed that new exploit code could compromise PCs running Internet Explorer 6 (IE6) and Internet Explorer 7 (IE7), then later in the day issued a security advisory that said Windows 2000, Windows XP and Windows Vista users were at risk.

Because the attack code had been publicly posted to a widely-read mailing list, researchers today said that the clock has started.

"This is clearly a critical vulnerability, and as bad as it gets," said Ben Greenbaum, a senior research manager with Symantec's security response team. "It is a race, yes, it certainly is," he added when asked whether hackers and Microsoft are pitted in a drag race.

"Definitely some kind of race," agreed Wolfgang Kandek, the chief technology officer at security company Qualys. "It's a matter of whether Microsoft can fix it first or attackers can get something that works reliably."

Full story: Computerworld