Last Thursday, two new flaws were discovered, and one was already used to attack the systems.

Monty IJzerman, the manager of security content at McAfee: “This exploit code is being used in the wild in malware”, “I expect other attacks to be prepared and to be out there over the next few days.”

As a result, Microsoft said that they will work on the problem and release a security update, but no date was indicated. Their next patch should appear in 11 April. However, maybe they will release a urgent one, considering the flaws.

“It is on the table,” said Stephen Toulouse, a program manager in Microsoft’s Security Response Center. “Every time any kind of exploitation is going on, it is on the table.”

It has to do with how Internet Explorer handles the “createTextRange()” tag in Web pages. A hacker could take advantage of it to gain control over a vulnerable PC by crafting a specially coded Web site.

Symantec, the first security firm that discovered the flaw on a website that was using the flaw to insert malicious code onto the PC. Symantec had not yet seen the attack on Friday, but said it expected to see them.

“There is a lot of financial incentive to exploit this stuff and foist nasty, unwanted things onto people’s desktops without their consent,” Dave Cole, a director at Symantec Security Response, said.

Microsoft quick solution was to disable active scripting, this way preventing the attacks. The flaw affects fully patched versions of IE 6 and Microsoft Windows XP with Service Pack 2 as well as IE 7 Beta 2 Preview, according to security experts. Microsoft, however, in its advisory lists the IE7 browser as immune.