The security flaw is a "buffer run"
CNET White Papers
Microsoft has issued a patch for the flaw that can be downloaded by Windows ME users.
The software titan is one year into a major push to make its applications, but has acknowledged that much work remains to be done.
The buffer vulnerability was discovered in the Windows ME Help and Support Center, which allows people to execute links using the "hcp://" prefix in a Web link instead of "http://." Phony links using the "hcp://" prefix, which contains the flawed buffer, would then allow an attacker to run software on the victim's computer, the notice said.
Microsoft added that the phony links could be sent to unsuspecting victims via e-mail or could be hosted on a Web site. An attacker could, in some circumstances, trigger a software program to execute automatically by sending it via e-mail. However, people using Outlook Express 6.0 or Outlook 2002 as their default e-mail systems, or Outlook 98 and 2000 with a security update, would have to click on an e-mailed link to run the attacker's software.
The patch was originally posted on Microsoft's Web site on Wednesday.