Microsoft has released a security advisory that warns about remote code executions in various versions of Internet Explorer.

"This issue allows remote code execution if users visit a malicious website with an affected browser," Microsoft said. "This would typically occur by an attacker convincing someone to click a link in an email or instant message."

The bug affects Internet Explorer 6 - 11, though according to security firm FireEye, "the attack is targeting IE9 through IE11."

"We believe this is a significant zero day as the vulnerable versions represent about a quarter of the total browser market. We recommend applying a patch once available," FireEye said.

Microsoft said that Enhanced Protected Mode, on by default in IE10 and IE11, as well as Enhanced Mitigation Experience Toolkit (EMET) 4.1 and EMET 5.0 Technical Preview, "will help protect against this potential risk." But until a patch is released, IE users should be on high alert and not click on any sketchy links or travel to unknown sites, or temporarily switch to another browser.

At this point, Microsoft said it is "aware of limited, targeted attacks" using the IE flaw. "An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."

As Symantec noted, "this will be the first zero-day vulnerability that will not be patched for Windows XP users, as Microsoft ended support for the operating system on April 8, 2014." However, the EMET toolkit "is available for Windows XP users," the company said.

PC Magazine