By Matthew Moore
Last Updated: 3:12PM GMT 16 Dec 2008
The flaw allows criminal gangs to take control of people's computers and steal their personal information when they visit websites that have been corrupted by malicious hackers.
It is believed that as many 10,000 sites have been compromised since last week.
Microsoft said that it had detected attacks on machines using Internet Explorer 7, the most widely-used version of the browser, but that other versions are "potentially vulnerable".
"We are actively investigating the vulnerability that these attacks attempt to exploit," the firm, which also makes the Windows operating system, said in a security statement.
"We will continue to monitor the threat environment and update this advisory if this situation changes."
By last Saturday about 0.2 per cent of Internet Explorer users had already visited one of the websites designed to exploit the flaw, according a statement on the technology giant's Malware Protection blog. The flaw was first exploited last week but there has been a sharp increase in attacks in the last few days.
Given that three-quarters of people on the web use Internet Explorer, millions of people could already have been targeted.
Microsoft has published a list of technical changes that it say should protect against the threat until it can release a software update to close the loophole, although the instructions would be incomprehensible to most casual surfers.
It has also advised users to enable their firewalls and install anti-virus and anti-spyware software, but web security experts say the best guarantee of safety is to use an alternative browser such as Firefox, Safari or Opera, which can all be downloaded for free.
The websites corrupted by the hackers are mostly Chinese, and have been programmed to steal passwords for computer games which can be sold for money on the black market.
But the Internet Explorer security flaw could also be exploited by criminals seeking to steal people's bank details, private data and identities. "That's a big fear right now," said Paul Ferguson of Trend Micro security researcher, warning of "mayhem" if fraudsters succeed.
Graham Cluley, a virus expert at internet security firm Sophos, said that the “staggering” number of people could be affected by the attacks. While many of the compromised sites are pornographic, many are legitimate, mainstream web pages.
“Problems like this are found all the time but Microsoft always has a fix. What’s new about this situation is that there is no fix.
“This is a really critical and serious problem. People should make sure their anti-virus software up to date, and remember to install Microsoft’s security patch when it is released.”
But he added that switching browsers may be an over-reaction. “It’s certainly a fix and gets around this problem, but Firefox, Google Chrome and other browsers all have their own security issues.”
For me, only slightly annoying in the sense that at work I use Web based outlook and its performance in Firefox is rubbish - the screen is completely useless. With IE it's set up brilliantly, but I've no idea how to make it look like that in Firefox! Other than that I tend to use firefox for most things, but I guess whatever you use you're probably not 100% safe. Be careful kids!!