Known as the Microsoft Internet Explorer 7 XML Zero-Day, the critical severity-level exploit would allow an attacker to run arbitrary code when a malicious website is visited.

"Internet Explorer remote code execution vulnerabilities have very high impacts since the source of the malicious payload can be across any site on the Internet," said Andre Protas, eEye’s Director of Research and Preview Services. "An even more critical problem is generated when clients are administrators on their local hosts, which would run the malicious payload with Administrator credentials."

It seems that the exploit code for this flaw has become publicly available on various forums and exploitation attemps have already been spotted.

According to eEye, the flaw affects both IE7 on Windows XP and on Windows Server 2003. Windows Vista was reported as well as vulnerable, but not targeted at present time.

Microsoft admitted the existence of the flaw but has yet to announce when a patch will be released.