Microsoft is investigating a vulnerability which gives cybercriminals access to your computer, which affects one third of internet users.

Internet Explorer
People using Internet Explorer 7, 8 or 9 on Windows Vista, XP or 7 are vulnerable to a new security threat. Reuters

Microsoft has admitted there is a vulnerability in Internet Explorer (IE) versions 7, 8 and 9 but says that attacks "appear very limited."

"We're aware of targeted attacks potentially affecting some versions of Internet Explorer and have released Security Advisory 2757760 to help protect our customers; we'll take further actions as appropriate," Yunsun Wee, director of Microsoft Trustworthy Computing told the IBTimes UK.

"Internet Explorer 10 is not affected. While attacks appear very limited, we recommend customers deploy Microsoft's Enhanced Mitigation Experience Toolkit (EMET) 3.0, which provides effective protections without affecting the Web browsing experience."

The zero-day vulnerability was spotted by security researcher Eric Romang last week, noting it was affecting those running IE 7, 8 and 9 on Windows XP, Vista and 7. Computers can get compromised simply by visiting a malicious website, which gives the attacker the same privileges as the current user.

This vulnerability will affect around one third of all internet users, based on the number of people using the affected versions of IE.

The vulnerability has already been used by cybercriminals who have created a specially-designed Flash animation to drop malicious files onto your PC (see video demonstration below).

Earlier this month a Java zero-day vulnerability was uncovered which Oracle eventually patched. The creators of an exploit targeting that vulnerability were traced by security expert to a gang in China called Nitro.

According to security blogger Brian Krebs, Romang and other experts have connected the sites serving those Java exploits to the Nitro attacks of 2011, espionage attacks directed against at least 48 chemical and defense companies.

Romang has been monitoring infected servers used by the Nitro gang since August and last week discovered a folder containing four files. Having downloaded and tested the files, Romang found they dropped files onto his PC.

Microsoft has not said definitively if a patch for this specific vulnerability is in-coming or if it will wait until its next scheduled update (due on 9 October) to patch the problem.

"The new Internet Explorer vulnerability is a major concern for millions of users. Significantly, cyber criminals will look to exploit this vulnerability and the trusting nature of end-users to propagate targeted attacks putting both corporate and personal data at risk.," Carl Leonard, senior security research manager EMEA, at security firm Websense told IBTimes UK.

"The vulnerability allows attackers to execute code on a machine by just having a user visit a malicious website which can happen by simply tricking the user to click on a link in an email or via compromised legitimate websites. While zero-day vulnerabilities are rare, businesses need real-time inline security to battle these new threats as and when they appear. Websense has released updates to the real-time analytics of Advanced Classification Engine (ACE) which means that Websense customers are protected."

Security experts suggest switching to Chrome or Firefox, which is likely to affect IE's market share, at a time when it is fighting to hold onto its dominant position in the browser market - currently holding 49 percent of the combined mobile and desktop browser market.