Noted bug hunter Georgi Guninski reported the vulnerability on the Bugtraq security mailing list. He said the problem affects Internet Explorer 5.5 and Microsoft's Outlook and Outlook Express email clients.
The vulnerability exploits ".chm" files, a compressed help file format, Guninski said.
Microsoft could not immediately be reached for comment. In the Bugtraq posting, Guninski said he had notified Microsoft about the security hole Nov. 15.
He added that the vulnerability could be prevented by disabling active scripting, a browser setting that offers more functions but has been repeatedly associated with potential security risks.
Guninski said Microsoft had fixed a similar exploit in the past by requiring ".chm" files to be run only from the local file system. He said the newly discovered vulnerability revives the ".chm" problem by revealing the location of temporary Internet files folders, allowing a remote user to activate the ".chm" file locally.
"Once a temporary Internet files folder name is known, it is possible to cache a '.chm' in any temporary Internet files folder and then use 'window.showHelp()' to execute it," he wrote. "There are other ways to execute programs once a temporary Internet files folder is known and document is cached in it, but 'showHelp()' seems to be the simplest."