The security vulnerability allows hackers to run malicious software (such as a trojan, virus or worm) on a user's machine when they visit a website containing the exploit code.
The vulnerability affects Microsoft Internet Explorer on the following operating system platforms: Microsoft Windows 98, Windows 98 Second Edition, Windows Millennium Edition, Windows 2000 Service Pack 4, Windows XP Service Pack 1, and Windows XP Service Pack 2.
"Microsoft will be fuming that the security of their software is being brought into question before they have had a chance to issue a security patch," said Graham Cluley, senior technology consultant for Sophos.
"Microsoft's next bundle of security patches aren't due until Dec. 13, and it will be interesting to see if they decide to break the cycle and release a patch earlier in response to the increasing number of exploits," he said.
Sophos said it has issued protection to its users against malware that has been discovered on websites exploiting the vulnerability, including the Clunky-B trojan horse that allows hackers to gain remote access over an infected PC.
Cluley added: "It wouldn't be a surprise if more malware was distributed that took advantage of this vulnerability in Microsoft's code."
This view was echoed by Luis Corrons, director of PandaLabs. "Once this circulates among other cyber criminals we can expect further attacks of these types. Even with a computer system that is fully patched, users are still vulnerable unless they have a fully up-to-date anti-malware solution," he said.
Until a fix is available from Microsoft, concerned computer users should consider changing the configuration of Internet Explorer to turn off, or prompt before, allowing Active Scripting to run.