An Internet Explorer vulnerability that was patched in this month's Patch Tuesday update is being actively exploited.

"SophosLabs has seen numerous attempts to exploit this vulnerability (Sophos products detect it as Exp/20121875-A)," writes Sophos' Paul Ducklin. "Cunningly-crafted JavaScript code -- which can be embedded in a web page to foist the exploit on unsuspecting vistors -- is circulating freely on the Internet. Also, the Metasploit exploitation framework now has a plug-in module which will generate malicious JavaScript for you on-the-fly to help you automate an attack."

"The security bug stems from memory mismanagement in Internet Explorer, or more particularly a use-after-free bug," writes The Register's John Leyden. "Technologies built into the latest versions of Windows -- including DEP (data execution prevention) and ASLR (address-space layout randomisation) -- are meant to make this sort of attack harder but have both come up short in this instance."

"The public availability of exploit code for both of these vulnerabilities increases the chances that they will be exploited in new attacks," writes Computerworld's Lucian Constantin. "Users are advised to install the security patch for CVE-2012-1875 and the Microsoft Fix it tool for CVE-2012-1889 as soon as possible in order to protect themselves."