Microsoft has issued a warning about a significant flaw in the Internet Explorer browser that could allow hackers to control unprotected computers.
The vulnerability permits hackers to inject malware into any system by tricking users into visiting malicious websites. This affects anyone using Internet Explorer (IE) versions 6 to 8.
The exploit code for this bug has already been published. Although Microsoft has stated there is no current evidence of its use by criminals, they are "investigating" and working on a permanent fix, according to a report by the Daily Mail.
Dave Forstrom, director of Microsoft's Trustworthy Computing group, said, "We're currently unaware of any attacks trying to use the claimed vulnerability or of customer impact."
The bug targets how the browser manages a computer's memory when processing Cascading Style Sheets (CSS), which are design instructions that dictate the appearance of most web pages. Hackers can inject their own code into the instruction stream, thereby hijacking the PC. Despite improvements in memory management protection, these enhancements fail when certain older Windows components are called upon.
The vulnerability was first reported earlier this month on the seclists.org full disclosure mailing list.
Rik Ferguson, a security analyst at Trend Micro, told the BBC, "As vulnerabilities go, this kind is the most serious as it allows remote execution of code. This means the attacker can run programs, such as malware, directly on the victim's computer."
He added, "It is highly reminiscent of a vulnerability from two years ago that prompted several national governments to warn against using IE and to switch to an alternative browser."
