Microsoft has no patch yet for security flaw

— -- Security firm Symantec said the vulnerability, which affects PCs using Windows XP or Windows Server 2003 operating software, is already being taken advantage of by cybercriminals.

It can allow hackers to remotely take control of victims' machines. The victims don't need to do anything to get infected except visit websites infected with a tiny bit of code that taps into the security hole.

Dean Turner, director of Symantec Security Response, says a cybercriminal group has corrupted an estimated several hundred legitimate Web pages with such infections since July 1. The criminals most likely are sending out e-mail spam to trick victims into clicking to the corrupted pages.

Symantec researchers caught part of the malicious code moving across the Internet in a computer, called a honey pot, set up to receive infections. But they have not captured any samples of the e-mail trickery.

"This is not that uncommon," Turner says. "But this kind of exploit in the wild, with no security patch yet available, has the potential to affect hundreds of thousands of people."

A flurry of similar attacks on Internet Explorer took place in 2007 and 2008, but have slowed. Attackers in 2008 began to gravitate to security holes in popular applications, such as Microsoft Word.

And in the past few months, the most widely attacked program has been Adobe Acrobat Reader, says Roel Schouwenberg, senior researcher at Kaspersky Lab.

The so-called zero day vulnerability disclosed by Microsoft affects a part of its software used to play video. The problem arises from the way the software interacts with Internet Explorer, which opens a hole for hackers to tunnel into.

Microsoft urged vulnerable users to disable the problematic part of its software, which can be done from Microsoft's website, while the company works on a "patch" — or software fix — for the problem.