The unpatched vulnerability in Microsoft's Internet Explorer that created a stir Tuesday may be exploited by 10,000 or more malicious Web sites if all their owners update to the newest version of the WebAttacker exploit kit, a security researcher said Wednesday.

First reported by Florida-based Sunbelt Software Tuesday, the bug has already been used to compromise PCs and load them with scores of adware and spyware programs, as well as other malicious code. Users surfing with IE 6 and earlier can be infected simply by viewing the wrong site.

The in-the-wild exploit is definitely being served up by WebAttacker, a multi-exploit "kit" created and sold by a Russian group for as little as $20, said Dan Hubbard, head of research at security company Websense. Tuesday's analysis by Hubbard and others, including Eric Sites of Sunbelt, fingered WebAttacker but couldn't prove it.

"We've seen a new version of WebAttacker on some sites, along with older versions," said Hubbard, "so we know that they've updated their kit."

WebAttacker is a modular hacker toolkit that uses a simple Web interface to let attackers choose from numerous exploits -- the VML exploit only the most recent -- to "serve" any visitor of a malicious site. The kit even identifies the operating system, say Windows XP SP2; browser used; and presence of anti-virus software, then chooses the best exploit to run, Symantec said in an entry on its security team's blog Wednesday.

WebAttacker, added Symantec's Amado Hidalgo, even generates statistics on successful exploits by host, OS, and browser; it also calculates an "exploit efficiency" ratio, said Hidalgo.

"One thing we haven't found yet," said Websense's Hubbard, " is a stat page that will tell us how many systems have been compromised."

In April, Websense discovered a WebAttacker stats page that showed just one malicious site had compromised more than 3,000 computers using just two of the kit's seven exploits.

"There are close to 10,000 sites either hosting WebAttacker or pointing to sites that do," Hubbard estimated. Although only about 20 sites are currently serving up the exploit, if more WebAttacker users decide to download the newest version, Hubbard expects that the numbers of malicious sites will quickly climb.