Microsoft published a security advisory about a newly discovered vulnerability affecting Internet Explorer versions 6 through 11, which as of yet has not been patched.

The bug, a remote code execution vulnerability, corrupts the memory of deleted or misallocated in-memory objects to exploit code remotely. According to the advisory, Microsoft is currently investigating the issue, and upon completion will likely release an out-of-cycle security patch. Windows XP users will not receive a patch.

(Related: The world on the eve of Microsoft XP’s end)

“At this time, we are only aware of limited, targeted attacks,” Microsoft response communications group manager Dustin Childs explained in a blog post. “This issue allows remote code execution if users visit a malicious website with an affected browser. This would typically occur by an attacker convincing someone to click a link in an e-mail or instant message.”

According to security firm FireEye, Internet Explorer versions 9 through 11 comprise more than 26% of the browser market, and these versions are being targeted by attacks.