Exploit code for a new critical flaw in Microsoft’s Internet Explorer is now circulating on the internet, which allows remote attackers to take over users’ PCs.
The flaw affects versions 5.5 and 6 of Internet Explorer and Microsoft has no patch for the vulnerability.
No further user interaction is needed to set off the attack, so under the terms of Microsoft’s definition of threats the flaw can be deemed as critical.
The flaw affects both the Windows 2000 and XP operating systems, including those XP systems running the Service Pack 2 security bundle.
Both internet security firm Secunia and the SANS security institute have reported warnings about the threat, which has existed for around six months.
Until now it was thought the flaw could only be used to potentially set off a denial-of-service attack on a network, which is regarded as a less serious threat in the industry.
The fact that the vulnerability can now be used to completely take over machines means the industry now expects Microsoft to quickly deal with the problem.
Microsoft said it was looking at the threat and considering whether to issue an immediate patch or bundle one as part of next month’s scheduled patching cycle.
The company is already considering whether to issue a patch for another different Windows flaw which allows attackers to launch a denial-of-service attack and crash networks.