The flaw in question was disclosed earlier this week and relates to the manner in which IE responds when presented with specially crafted HTML code. The flaw allows hackers to present data that would corrupt system memory in a way that could allow the attacker to execute arbitrary code, according to a Microsoft description of the flaw.

The vulnerability exists on fully patched systems with IE 6.0 running Microsoft Windows XP service Pack 2. The vulnerability has also been confirmed in the IE 7 Beta 2 Preview (January edition).

'This vulnerability could allow an attacker to execute arbitrary code on the user's system in the security context of the logged-on user,' Microsoft said.

As a result, systems that are configured to give users limited access rights will be less affected, while those that have full administrative privileges could find their systems completely under the control of a remote attacker, Carpenter said.

Despite the potentially critical nature of the vulnerability, there are several mitigating factors, according to Microsoft. An attacker would have to first convince users to visit a malicious Web site for the vulnerability to be exploited, and the flaw can't be exploited automatically through e-mail or while viewing e-mail through the preview pane. Microsoft has also suggested turning off the Active Scripting function in IE as a way to prevent the exploit from working.