First reported two days ago by Symantec Corp.'s DeepSight threat network, the flaw is in the OLE32.DLL library file, which is a required Windows component called during object linking and embedding operations, such as inserting a Microsoft Excel worksheet inside a Word document.

Attackers can exploit the OLE32.DLL vulnerability by crafting a malicious Word document, then duping users into downloading the document or opening it when it arrives via e-mail. Software that's linked to OLE32.DLL, such as the Windows Explorer file navigator, will crash, said Symantec.

The flaw affects Windows XP and Windows 2000.

"At a minimum, this vulnerability will cause Microsoft Windows Explorer to crash," read an alert issued yesterday by US-CERT, the federally funded threat center. If Explorer crashes, Windows becomes unusable; the only way to recover the system is with a hard reboot.

Both Symantec and US-CERT warned that it might be possible for attackers to use the bug to insert their own code on the compromised computer. "The complete impact of this vulnerability is not known," US-CERT said. "Memory corruption does occur, but it is not clear if this can be leveraged to execute arbitrary code."