Hackers are exploiting an unpatched security hole in Internet Explorer 7 to take control of computers, security experts have warned.
If an attacker successfully exploits the IE7 flaw, it could gain the same user rights as the computer owner and access any personal information.
Microsoft said it is investigating reports of the attacks. So far it has identified that attacks are against Windows Internet Explorer 7 on supported editions of Windows XP Service Pack 2, Windows XP Service Pack 3, Windows Server 2003 Service Pack 1, Windows Server 2003 Service Pack 2, Windows Vista, Windows Vista Service Pack 1, and Windows Server 2008.
The IE7 flaw is one of three so-called 'zero-day' flaws that have been discovered this week. Zero-day threats are released into the wild before security vendors can issue protection against them. The other zero-day vulnerabilities impact Microsoft SQL Server 2000 and WordPad's text conversion feature.
Mary Landesman, senior security researcher at ScanSafe, said: "Zero-day exploits involving any widely used software are particularly concerning. When it impacts a browser as widely used as Internet Explorer, it can have serious implications. Predictably, attackers were very quick to add the IE7 exploit to their tool kit and we anticipate these attacks will escalate over the coming weeks."
Microsoft said it was aware only of "limited attacks that attempt to use this vulnerability" in IE7 but that on completion of its investigation, Microsoft would take the appropriate action to protect its customers, including possibly providing a solution through a service pack or via its monthly security update release process.
On the second Tuesday of each month, dubbed 'patch Tuesday', Microsoft releases security updates for its products. On 9 December, Microsoft released eight security patches to resolve a total of 28 vulnerabilities including fixes for Windows, Word, Internet Explorer, Excel and Office - but these did not address the IE7 flaw.
Customers are advised to enable a firewall, apply all software updates and install anti-virus and anti-spyware software.