Microsoft has warned Windows users to install an “emergency” out-of-band security patch.

The software giant said in an advisory that a security flaw in some versions of Internet Explorer could allow an attacker to remotely run malicious code on an affected device. A user could be stealthily infected by visiting a malicious web page or by being tricked into clicking on a link in an email.

“An attacker who successfully exploited the vulnerability could take control of an affected system,” said Microsoft.

Microsoft said the vulnerability was under active exploitation, though details of the flaw had not been made public.

More than 7% of all browser users are running affected versions of Internet Explorer 9, 10 and 11, according to recent data. All supported versions of Windows are affected, including Windows 7, Windows 8.1 and Windows 10, as well as several Windows Server versions.

Most users can install the patches using Windows Update.

Microsoft also issued a fix for its in-built malware scanner Windows Defender, which if exploited could have triggered a denial-of-service condition resulting in the app failing to work.

The company said no action was required by users to remediate the bug in Windows Defender.

It’s rare but not unheard of for Microsoft to release emergency security patches outside of its typical monthly patching cycle. The company typically releases security fixes in the second week of each month on its so-called Patch Tuesday, but also will release fixes for significant vulnerabilities under active exploitation as soon as they are made available.

Homeland Security warned in its own advisory urging affected users to install the patches.