The vulnerability, first reported last week, is related to the company's data access software, called Jet, and is found in the company's Excel 97 program, a popular component of Office 97.
The hole allows code contained in an Excel 97 worksheet, hidden in a Web page or sent via email, to plant viruses, delete data, or read files, according to the programmer who discovered the problem.
"Right now we are thoroughly testing the solution," said Andrew Dixon, Microsoft's group product manager for Office.
"We take all security issues seriously," he said. "To date, we have not heard from any customers on the issue."
According to Microsoft, the hole exists in Jet version 3.51, which shipped with Office 97. The company has said the "vulnerability should be taken seriously."
The exploit does not affect Office 2000, the latest version of the company's personal productivity suite. That upgrade uses Jet 4.0.
Due to the complexity in which Jet interacts with other Microsoft applications, security experts said they would prefer that the company take the time to get a patch right before issuing a fix.
Jet is used in several Microsoft products, including its Exchange messaging server and is the default database used with the company's popular Visual Basic development tool. Jet can also be used with other Microsoft development tools, such as Visual C++.
It is also used by third-party software providers. "We want to make sure when we do introduce the patch, we don't introduce any incompatibility issues," Dixon said.
Microsoft said it will post more information on the issue on its Web site.