Exploit code targeting the Internet Explorer vulnerability used against Google and other companies has gone public, increasing the chances that broader attacks will soon follow.

Both the open-source Metasploit framework and the commercial Immunity Canvas software for penetration testers have working exploits that fully compromise computers running earlier versions of the browser. The attacks target a previously unknown invalid pointer reference bug in IE that attackers used to penetrate the defenses of Google and dozens of other companies.

The exploit in Canvas was “fairly reliable” at remotely executing code in tests of IE versions 6 and 7 running on Windows XP SP3, Immunity researcher Kostya Kortchinsky wrote in an email. “It crashed IE 8 and will require a bit more work to get something out of it,” he added.

The exploit folded into Metasploit was tested on IE 6 running on the same Windows platform, the framework’s chief maintainer, H D Moore, wrote in a blog post.

While the flaw affects all versions of IE except for 5.01 SP 4, security protections built in to more recent versions of the browser and operating system can significantly mitigate the threat. DEP, short for data execution prevention, is enabled by default in IE 8 but must be manually turned on in prior versions. Users of Vista and later versions of Windows should run IE in protected mode, an additional feature that also provides important protection.

Read more here.