But users who configure their systems so that they don't connect to ad hoc networks -- and those who use firewalls and properly patched systems -- should be safe from the threat, he said.

"There are a couple of conditions that need to be met before [the threat could be exploited]," Loveless said. "But it appears to me those conditions have been met in a lot of machines" based on field tests, he said.

In a statement, Microsoft said that its investigation of the flaw has "determined that customers who have connected to an 'ad hoc' wireless network in the past that was not protected with wireless encryption could be lured into connecting to a malicious advertised 'ad hoc' wireless network under limited circumstances."

But those using firewalls and a fully updated system should be at "reduced risk" of attacks following such ad hoc connections, Microsoft said, adding that it's also possible to prevent such malicious connections by configuring systems to connect only to "infrastructure" networks.

The company plans to release an update fixing the default configuration in a future service pack or security update rollup.