Hackers have upped the ante by launching more attacks against an unpatched IE 7 flaw.

Microsoft warned on Saturday that attacks targeting the vulnerability, which affects versions of its flagship browser on all supported versions of Windows, are becoming more widespread. The security bug first came to prominence a week ago, just before the latest edition of Microsoft's update cycle.

As a result an estimated one in 500 users worldwide have been exposed to the vulnerability, Microsoft estimates. The volume of attacks grew by 50 per cent from Friday until Saturday alone with little sign of a let-up. It's highly unusual for Redmond to quote such stats, and the fact it has underlines the mounting seriousness of the problem.

At first it was reckoned that only IE 7 users were affected, but further analysis suggests that versions 5.01, 6, and 8 of the browser are also vulnerable. However, attack code currently in circulation aims to exploit surfers running IE7 specifically. Early prognosis of the vulnerability suggested error in parsing XML code were the problem, but further work has revealed that data binding bugs are the real culprit.

Suggested workarounds to defend against the flaw, pending a security patch from Microsoft, include disabling active scripting - as explained by US CERT here. ®

Related stories

• Opera releases update for 'extremely severe' vulns (16 December 2008)
• Browsers fail password protection tests (15 December 2008)
• IE zero day bites broader group of users (12 December 2008)
• Chinese researchers inadvertently release IE7 exploit code (11 December 2008)
• Updated In-the-wild attacks find hole in (fully-patched) IE 7 (9 December 2008)
• Internet Explorer - now with 35% less FAIL (29 August 2008)
• Microsoft's IE 8 puts giant web hole on notice (20 August 2008)