Microsoft on Saturday said that it disovered "limited, targeted attacks" that attempt to exploit a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11. All versions of Internet Explorer from 6 through 11 are listed as vulnerable as well as all supported versions of Windows other than Server Core. Windows Server versions on which IE is run in the default Enhanced Security Configuration are not vulnerable unless an affected site is placed in the Internet Explorer Trusted sites zone.

The remote code execution vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. It may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

Microsoft is investigating the vulnerability and exploit and has not yet determined what action it will take in response or when.

PCs running Windows XP will not receive any updates fixing that bug when they are released, however, because Microsoft stopped supporting the 13-year-old operating system earlier this month.