The vulnerability involves a flaw in the debugger's authorization feature. The flaw lets any user run any program on the system, with the highest privileges.
The hole could be used in conjunction with other Windows vulnerabilities that allow a remote attacker to run as a local user, said Marc Maiffret, chief hacking officer with network-protection company eEye Digital Security.
"By itself, I would say it's not that dangerous, but coupled with other vulnerabilities, it's nasty," Maiffret said. "It makes threats like Nimda possible."
Theworm used a similar double whammy to gain base-level access to a system and then elevate its privileges to take control of the infected computer.
Microsoft gave the vulnerability a "critical" rating for client systems but would not estimate what portion of Windows NT 4.0 and Windows 2000 computers might be vulnerable to the new flaw.
"Being able to log on to the computer in the first place, and being able to run code (once logged on), are the two limiting factors for this flaw," said Christopher Budd, security program manager for Microsoft's security response center.
For example, a guest account could be co-opted by an attacker and used to exploit the flaw to run code only if the system's administrator allowed guests access to the console and let them introduce code to the machine, Budd said.
Microsoft has posted an advisory and a patch for the problem.