Windows 7 users are at risk from a “serious” bug that could let malicious hackers take over their computer, Google has warned.
Cyber-thieves are “actively exploiting” the vulnerability by combining it with a separate flaw found in the Chrome browser.
Google has issued an update for its Chrome web browser to close the loophole.
Microsoft has said it is also working on a fix for the problem in Windows 7.
The Windows flaw exists in core elements of the operating system that are supposed to stop data in one program interacting with anything outside that application.
Google said it had seen evidence that criminal hackers had found a way to make attack code jump from Chrome into other applications to help them compromise a machine.
A patch has been produced for Chrome and users should ensure that they have updated their browser to close the loophole, said Google engineer Justin Schuh.
“Seriously, update your Chrome installs… like right this minute,” he tweeted.
The serious nature of the flaw in Chrome meant the software had to be shut down and re-started for the patch to take effect, he added.
“To date, we have only observed active exploitation against Windows 7 32-bit systems,” wrote Clement Lecigne from Google’s threat analysis group in a blog exploring the flaw.
One way to avoid falling victim was to upgrade to Windows 10, said Mr Lecigne.
Microsoft has not given a date for when its patch for Windows 7 will be released, but said it would be “as soon as possible”. Millions of machines still run Windows 7 despite it being almost 10 years old.
Writing on the Sophos security blog, Paul Ducklin said: “There doesn’t seem to be a workaround, but if you make sure you’re up-to-date, you don’t need one because the bug will be squashed.”