Attackers are exploiting a "zero-day" vulnerability in Microsoft's Internet Explorer (IE) and hijacking Windows PCs that cruise to malicious or compromised websites, security experts said today.

Microsoft said it is investigating reports of the bug, but did not set a timetable for fixing the flaw.

The unpatched bug in IE7, IE8 and IE9 can be leveraged in Windows XP, Vista and Windows 7, according to Rapid7, the security firm that also maintains the open-source Metasploit penetration-testing toolkit.

Rapid7 urged IE users to ditch the browser and rely on a rival's application.

"Since Microsoft has not released a patch for this vulnerability yet, users are strongly advised to switch to other browsers, such as [Google's] Chrome or [Mozilla's] Firefox, until a security update becomes available," Rapid7 advised in a Monday post to its Metasploit blog.