There is some minor disagreement among researchers about the underlying bug. , a noted vulnerability researcher and the labs director at BreakingPoint Systems, a Texas-based network test company, said in how IE handles the HTML "span" tag.

Others, however, said that the vulnerability is broader than that. "It's a problem in the .dll that handles the rendering of multiple types of HTML content in IE," said , a senior manager in Symantec's security response group. "But the bug is triggered by the span tag, so it would be accurate to say it's a combination of both of those sources."

Greenbaum said Symantec has monitored attacks, but downplayed the threat for now. "Even in those regions [China and Asia], we're not seeing very high amounts of attacks," he said. "And in our own lab tests, the exploit is not successful against every machine. It's not all that reliable."

He guessed that the current attack code works, at best, a third of the time, but is most likely even less reliable than that. "Only a small portion of these attacks will be successful."

Symantec has not yet determined whether other versions of Microsoft's browser contain the same vulnerability; attack code in use now, however, works only against IE7.