Microsoft is warning Internet Explorer users to be hyper-vigilant to phishing attacks after it discovered a major flaw in the web browser was being actively exploited by hackers. 

The company is yet to issue a patch for the remote code execution vulnerability, which affects all supported Windows desktop and server versions, as well as the out-of-support Windows 7 and Server 2008. 

The flaw exists in the way Internet Explorer’s scripting engine (the browser component that handles JavaScript code) deals with objects in memory, Microsoft says.

An attacker who successfully exploits the flaw could gain the same user rights as the current user and run code of their choice on the victim’s system. 

“If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft said. 

One way a hacker could exploit the flaw is by sending a phishing email or other message that drives the user to a specially crafted malicious website in IE.

Microsoft said it was working on a fix for the vulnerability, expected for its next Patch Tuesday update in early February. In the meantime it has suggested several workarounds and mitigations, including restricting access to the JavaScript component JScript.dll, to safeguard against attack. 

While Microsoft said it was aware of hackers actively exploiting the flaw, it described these instances as “limited targeted attacks”, believed to be part of a wider hacking campaign also targeting Firefox users. 

Internet Explorer is no longer the default browser in the latest versions of Windows, but still comes installed with the operating system and remains the browser of choice for many legacy applications.