Computer hackers are targeting a flaw in Microsoft’s Windows operating system that has placed hundreds of millions of PCs at risk of infection from dangerous "spyware" programs used by criminal gangs to steal people’s identities.

The flaw in the software, which is used by 90 per cent of the world’s computers, allows PCs to be infected by programs maliciously embedded into seemingly harmless image files. It was first discovered last week, but Microsoft is yet to release a protective "patch" to guard against the danger.

"The … vulnerability probably affects more computers than any other security vulnerability, ever," Mikko Hypponen, chief research officer at F-Secure, said on the web-security company’s weblog.

Most attacks require a victim to download an infected file. But the newly discovered flaw, which dates back at least a decade, makes it possible for a PC to be hit simply by a user browsing a web page or opening an e-mail that contains an infected image.

Mark Herbert, the founder of intY, an internet security company, said: This is one of the first examples of a new generation of threats on the internet. Now people can run into serious problems just looking at web pages – something we haven’t seen before.

"This should be a serious wake-up call to the web community."

Patrick Runald, a senior anti-virus consultant with F-Secure, told Times Online: "Unlike other threats, which tend to target specific versions of software, this affects all versions of Windows from the past 10 years or so - that means hundreds of millions of machines. We are now seeing lots of activity among virus writers looking to exploit this flaw."

According to Mr Runald, hackers exploiting the vulnerability have so far focused on using it to install secret "spyware" and "back doors" on victims' PCs. That suggests that criminal gangs are mainly responsible rather than trouble-makers who prefer mass e-mail campaigns to spread viruses as far as possible.

The underlying "source code", which maps out how to exploit the weakness, has now been published on the net by hackers.

Microsoft has confirmed that the flaw has been actively exploited and said it was working "with our anti-virus partners and aiding law enforcement" to tackle the problem.

The incident is especially embarrassing since it also affects the test - or "beta" -version of Vista - the latest version of Windows that is due to be released later this year. Bill Gates, Microsoft's founder, has heavily promoted Vista's improved security.

Donal Casey, a consultant for Morse, the internet security company, said: "Vista had been marketed as the secure version of Windows, but obviously it is not. Microsoft is covered because the final version hasn't been released, which will allow them to do a bit more thinking."

In the absence of a patch, Microsoft has urged PC users to follow its standard advice and "exercise caution when they open e-mail and links in e-mail from untrusted sources."

It added: "While we have not encountered any situation in which simply opening an e-mail can result in attack, clicking on a link in an e-mail could result in navigation to a malicious site."

Microsoft's statement can be found here.

According to F-Secure, more than 100 different versions of the malicious programs – called WMF or Windows metafile programs – targeting the flaw have emerged so far. This week WMF exploits have been spread in e-mails wishing people "Happy New Year" and by messages purporting to be from American security agencies.

According to the F-Secure website, Internet Explorer users are at the greatest risk of automatic infection "while Firefox and Opera browser users are prompted with a question whether they’d like to open the WMF image or not. They get infected too if they answer ‘Yes’."

The Home Office has estimated that identity theft accounts for £1.3 billion in stolen goods, services and cash a year. Meanwhile fraudsters have turned to online crime to sidestep new measures on the high street, such as chip-and-pin card technology. According to police figures, computer crime alone cost British businesses £2.4 billion last year.

Times Recommends

• Lies and cover-up at MG Rover exposed by report
• High oil prices push manufacturing costs up
• Primark founder steps down as chief executive