The vulnerability, which affects only systems running Internet Explorer, is caused by an unspecified error in the XMLHTTP 4.0 ActiveX Control and could be used to seize control of an affected system, according to an advisory from Secunia, a security company based in Denmark.
IBM-owned ISS X-Force detailed on its site the kind of damage that could be caused by the vulnerability.
"This could lead to loss of confidential information, disruption of business, or further compromise," according to the security company.
For the vulnerability to be exploited, a user would have to visit a malicious Web site, Secunia said.
Microsoft acknowledged that the bug is already being exploited, in a note posted to the company's site.
"We are aware of limited attacks that are attempting to use the reported vulnerability," Microsoft said.
Some of theincludes Windows 2000, Windows XP Service Pack 2 and Windows Server 2003.
People running Windows Server 2003 and 2003 Service Pack 1 in the default configuration with the Enhanced Security Configuration turned on aren't affected, Microsoft said.
Microsoft will determine, based on "customer needs," whether to release a patch during the company's monthly release process or an "out-of-cycle security update," the company said.
Microsoft's next patch release day is November 14.