The vulnerability, relating to Internet Explorer’s “createTextRange” function, first came to light earlier this month. Microsoft issued an advisory last Thursday, explaining that the flaw could allow third parties to “execute arbitrary code on the user's system in the security context of the logged-on user” – effectively taking over the computer.
“Although the issue is serious and malicious attacks are being attempted, Microsoft’s intelligence sources indicate that the attacks are limited in scope at this time,” said the advisory.
Microsoft is working on a patch for the vulnerability.
According to reports, hundreds of websites are now actively exploiting the flaw. On Thursday Websense Security Labs warned that one of these attacks involves the use of emails containing excerpts from BBC news stories. Readers clicking through to find the actual story are sent not to the BBC site, but to a spoofed web page, from which a keylogger is secretly downloaded and installed onto their computer.
“This keylogger monitors activity on various financial websites and uploads captured information back to the attacker,” warns Websense.
While a few security firms have released unauthorised patches for the vulnerability, Microsoft advises that users switch off Active Scripting in order to protect themselves while the official patch is developed.
It also advises users to steer clear of unfamiliar or distrusted websites.