Internet Explorer is afflicted with a "universal" bug that allows code injection and data stealing, according to several security researchers.

Deusen, a cybersecurity company, developed a proof-of-concept demonstrating the flaw earlier in the week, bypassing the same-origin policy (SOP) which is supposed to prevent scripts from accessing or altering data on another site.

Security vendor Symantec said: "With this vulnerability, a determined attacker can craft an email containing a link that leads to a malicious website.

"If the recipient were to click on that link, the malicious website could bypass the SOP and allow the attacker to obtain sensitive information."

Microsoft has yet to fix the bug, and a statement issued by the firm claimed that to exploit it a hacker would need to trick a victim into visiting a malicious website.

"We’re not aware of this vulnerability being actively exploited and are working to address it with an update," it said.

"We continue to encourage customers to avoid opening links from untrusted sources and visiting untrusted sites, and to log out when leaving sites to help protect their information."

Joey Fowler, a senior security engineer at Tumblr, noted that whilst the flaw was quirky "it most definitely works", adding that it even bypassed HTTP-to-HTTPS security restrictions, which are supposed to encrypt information sent to and from web browsers.