The Internet Explorer 7 browser security issue is under investigation by Microsoft, with users expecting a patch or an update to fix the problem. According to Symantec, the problem affects the XML parsing engine of IE 7 and the library MSHTML.DLL.

Two cyberattacks in the wild, which exploit recent vulnerabilities found in IE 7 and WordPad Text Converter, enable hackers to infiltrate a user’s PC - by enticing them to view a malicious Web site by clicking on a malicious link - and install information-stealing code. Once malicious code was executed, the attacker could completely take over a victim's computer to steal personal data and record keystrokes, usually for monetary gain.

Microsoft said that it is currently working to address the problems, either with an out-of-band patch or one that is included in its regular patch cycle, although no fixes have been created yet for either flaw.

The company has offered up a few workarounds that the customers can use to thwart the attacks. It recommends that users change the Internet and local intranet security settings to “High”, so there will be prompts before running of ActiveX controls and active scripting in these zones.

In addition, it is being advised that IE be configured to prompt before running active scripting or to disable it in the Internet and local intranet security zone. Enabling Data Execution Prevention (DEP) is yet another recommendation.

The Microsoft advisory stated: “Setting the Internet zone security setting to High protects against all currently known exploits of this vulnerability by disabling scripting and disabling less secure features in Internet Explorer, and blocks known techniques used to bypass Data Execution Prevention.”