Attack code for a new hole in Internet Explorer has been written and is being used.
The vulnerability is similar to a bug that Microsoft patched last month in a multimedia component of Internet Explorer, according to Vincent Hwang of Symantec's Security Response team.
A sample of the vulnerability has been posted by hackers on the xsec.org website, although Symantec said it has yet to see the code used. To take advantage of the exploit code, attackers would first need to trick users into viewing a maliciously encoded web page, but once that's done they could then run unauthorised code on a victim's computer.
Researchers at Secunia have said they were able to create a "fully working" exploit for the latest version of Windows XP running Internet Explorer 6. Windows 2000 users are also vulnerable, Secunia said. Symantec calls the bug "critical" and have given it its most severe rating.
The xsec.org hackers referred to their code as a 0day, referring to the "zero day" phrase used to mean an exploit for a previously undisclosed hole. But one well-known hacker said the flaw was not difficult to find using publicly available security tools. "Calling it 0day is a stretch," said HD Moore, head of the Metasploit project.
The hole is the second unpatched flaw that Microsoft is looking at. Earlier this month, attackers began exploiting a vulnerability in the company's Word software.