Windows posted an advisory of the flaw on its website Monday but has not yet issued a patch.
British threat intelligence firm Computer Terrorism warned Monday that the "security issue is susceptible to remote, arbitrary code execution, yielding full system access with the privileges of the underlying user."
Secunia has warned that successful exploitation requires that a user be tricked into visiting a malicious website.
"The vulnerability has been confirmed on a fully patched system with Internet Explorer 6 and Microsoft Windows XP SP2 and Internet Explorer 6 and Microsoft Windows 2000 SP4," read a statement on the internet threat website.
Microsoft advisory 911302 warns the flaw was originally publicized this spring, but it was not clear that code execution was possible until recently.
"This issue was originally publicly reported in May as being a stability issue that caused the browser to close. Since then, new information has been posted that indicates remote code execution could be possible," the company said on its website. "Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk."