A Chinese research team has discovered a zero-day vulnerability in Internet Explorer 6 that is being actively exploited to conduct cross-domain scripting attacks.

The zero-day bug is caused by an input validation error that could allow a remote attacker to execute arbitrary code into the browser of a user while they are on a trusted site, according to an advisory from tracking firm Secunia, which graded the vulnerability "moderately critical."

"The vulnerability may allow a remote, unauthenticated attacker to execute arbitrary script in the context of another domain," said a US-CERT advisory published on Thursday. "This could allow an attacker to take a variety of actions, including stealing cookies, hijacking a web session, or stealing authentication credentials."

The flaw, which does not impact the latest IE browser, version 7, was discovered by a Chinese research group known as Ph4nt0m Security Team.

Users are suggested to upgrade to IE7 or disable scripting in the IE6 browser, according to McAfee Avert Labs researchers.

A Microsoft spokeswoman said the company was investigating the issue.

"We're currently unaware of any attacks trying to use the claimed vulnerability or of customer impact," she said. "We will take steps to determine how customers can protect themselves should we confirm the vulnerability."