A still-unpatched Internet Explorer vulnerability that's been used by attackers since late November to compromise Windows PCs is now being used by large numbers of malicious Web sites to plant spyware and adware, a security company claimed Thursday.

San Diego-based Websense said in an alert that it's detected thousands of sites connecting to a main malicious URL that's "actively exploiting this vulnerability to execute malicious code," according to the warning.

All it takes is a visit to one of the sites with Internet Explorer running on Windows 98, Windows Me, Windows 2000, or Windows XP, to compromise a computer, the warning noted. A bogus warning that the machine is infected with spyware appears and a so-called "spyware cleaning" application launches. That app then prompts the user to enter a credit card number.

What's actually installed, however, is real spyware, which then connects to a URL in the .biz domain to download and run more than 10 other programs that install without the user's consent.

According to Websense, the .biz domain Web site is real, but has been compromised by hackers. It's hosted in the U.S., and currently still online.

There is no patch for the bug, which was originally reported to Microsoft in May. The bug was found nastier than first thought in November by U.K.-based security vendor Computer Terrorism Ltd. Microsoft has said it's working on a fix, but has not committed to a release date for the patch. The next regularly-scheduled patch day is Tuesday, Dec. 13.

Microsoft, however, has issued a security advisory which outlines several steps users can take to protect themselves, including disabling IE's Active Scripting option.