Bug tracker Georgi Guninski said the exploit is activated when a surfer using Internet Explorer 5 loads a malicious Web page. The surfer's network also must be running Microsoft's Exchange 2000 server for the bug to show up.
The bug lists the directories of some servers the Web surfer can access, which could enable viewing of the person's e-mails or folders if they are stored on a Microsoft Exchange 2000 server. The malicious hacker would have to know some of the Web surfer's usernames.
Guninski has rated the bug's risk as "high," and he said people can alleviate the problem by disabling Active Scripting, a browser setting that offers enhanced functions but has been repeatedly associated with potential security risks.
Microsoft said it is still investigating the finding and has been in touch with Guninski. In a message posted on Guninski's site from Microsoft's Security Response Center, the company asked him for a further explanation of the bug "so you are not just scaring people." The message also said that "visiting malicious Web sites is not a real exploit scenario."
A company representative said the company would come out with any necessary fix or workaround "as quickly as possible."
The software giant has come under fire in recent years for allegedly valuing interoperability between its products over security. In its quest to provide many pieces of software that interact with each other, some security experts say the company has been lax in addressing possible holes that could allow malicious hacker exploits.
Most notably, Microsoft's Outlook messaging software, which is used by millions of people throughout the world, played a key role in the rapid spread of viruses including I Love You and Melissa.