The disclosure of the new flaw comes as Microsoft attempts to develop a patch to fix another security hole revealed in Excel late last week.

The Microsoft Security Response (MSR) team reported on its blog this week that the vulnerability is the result of a faulty component in Windows that handles system operations involving hyperlinks.

The blog posts downplayed the significance of the vulnerability. "This [is] proof-of-concept code and not an attack," wrote Christopher Budd, an MSR team member. "We are not aware of any attacks based on this code."

However, despite the absence of ready-made hacker software that can take advantage of the flaw, Secunia, a security-monitoring company, has given the bug a rating of "highly critical."

Security Issues

According to Secunia, the flaw is caused from what is called a "boundary error" in an Excel-related Windows file named "hlink.dll."

MSR researchers said that any attempt to exploit the flaw would necessitate convincing a user to open a specially crafted Excel document. Then the user would have to find and click on a specifically designed link in that document.

"We have not found any way to attempt to exploit this vulnerability that involves simply opening a document: A user must locate [and] click [on] a hyperlink in the document," Budd wrote.

Secunia claims to have confirmed the existence of the vulnerability on a fully patched Windows XP system running Excel 2003. Other affected operating systems, according to Secunia, include Windows Server 2003 and Windows 2000.

Microsoft is recommending that people "only accept and open files from trusted sources."

Bad Timing

The flaw could not have been disclosed at a worse time for Microsoft because the company released its latest monthly set of patches just last week. Typically, the software maker does not issue fixes outside of "Patch Tuesday" releases, which means hackers will have one month to come up with malicious software specifically designed to take advantage of this flaw.

"It is bad for Microsoft to have two zero-day exploits in the wild right after their Patch Tuesday," said Rob Ayoub, an analyst at Frost & Sullivan. "They're scrambling to figure out what's going on and probably won't release a patch until their next Patch Tuesday. The timing is pretty bad."

Ayoub said that, other than causing some damage in terms of the public perception, the flaw will not pose too much of a threat. Because hackers have to get users to click on a specially designed link, it will be hard for miscreants to launch any sort of widespread attack, he explained.

"It looks like this is more difficult to execute and won't propagate without user intervention," Ayoub said. "It is bad? Yes, but it's probably worse for Microsoft's publicity than it might actually be dangerous."