Andrew Storms, director of security operations for nCircle, agrees. "This exploit renders that mitigation null and void -- it has the effect of a key logger on virtual keyboards. Attackers could potentially capture the clicks connected with banking credentials using this exploit and that isn't good news for the 63 million Americans that bank online."
Alex Horan, senior product manager at CORE Security, adds that supposedly "safe" websites may not be so safe. "It also reinforces that just because you are visiting YouTube or the New York Times doesn't mean all the content on that site is owned or managed by them--serving up malicious ads on trusted mainstream sites is a great way to expose your attack to a large volume of user."
Horan suggests abandoning IE until or unless the issue is patched by Microsoft.
Storms says, "If this vulnerability is confirmed, it has the potential to require an out-of-band patch and that's something everyone would like to avoid this holiday season."