And that's a good idea, said Ollmann of ISS. "This vulnerability lies within code that's shared by a large number of Microsoft products, so it has a much wider footprint of attack than other recent zero-day vulnerabilities.
"This is the kind of exploit that we see in IE only once every two or three months."
In fact, the last time that an unpatched bug in IE was widely used to distribute a broad range of malware was in March, when the CreateTextRange bug was used by scores of malicious sites to seed PCs with spyware and adware.
The attacks could also get worse. "With the nature of VML, attackers could embed this exploit inside e-mail," Ollmann said. A user who only viewed an HTML-based message would succumb to the attack, he added.
Microsoft's only advice to users was to keep their anti-virus software up to date, and not to surf to "untrusted" sites or open suspicious e-mail messages. Sunbelt, ISS, and other security vendors suggested that users could protect themselves against the current exploit by disabling JavaScript.
But even that might not work for long. "JavaScript isn't required for this exploit to work," said Ollmann. "It would be a trivial change to make it work without Java."
The VML vulnerability is the second unpatched flaw in IE that has been disclosed in the last five days. On Friday, researchers warned of a bug in IE's handling of an ActiveX control included with Windows.