Microsoft is warning users to avoid suspicious websites and emails after attacks were reported on an unpatched flaw in Internet Explorer 7.
The company would not provide exact figures, but said that a "limited number " of attacks had been reported.
The attacks target a vulnerability in IE7's handling of the uniform resource indicator (URI) commands used by browsers to launch third-party applications.
Microsoft disclosed the vulnerability on 10 October, explaining that it arises when the browser fails to check malformed URI instructions in Windows XP and Server 2003. Windows Vista is not believed to be vulnerable.
Security firm Secunia rated the vulnerability as 'highly critical', the fourth of its five severity levels.
Microsoft Security Response Center team member Bill Sisk told users in an article posted to a company blog that a fix is in development, but could take some time owing to the nature of the vulnerability.
Executing an attack on the vulnerability involves using the 'ShellExecute' command that Windows calls up to load applications.
Because the component is such a vital part of Windows, Sisk said that Microsoft is taking extra care to ensure that a security fix will not damage the operating system.
In the meantime, Microsoft and Secunia recommend that users avoid untrusted or suspicious links and websites and avoid opening attachments in unsolicited emails.
Geoengineering on the sea floor near glaciers would form a new ice shelf to prevent melting
Alterations in capillary blood flow can be caused by body position change
Curiosity rover is in 'normal mode' but not transmitting scientific data back to base
NatWest outage comes a day after Barclays' IT systems shut out customers and staff