A software vulnerability found in Microsoft's Web-server software and Internet Explorer may pose a risk to millions of Web servers and Internet Explorer users. Microsoft said Wednesday the flaw, discovered by security vendor Foundstone Inc., is "critical" because it could let an attacker gain control or run code of his or her choice on vulnerable systems. The company has issued a patch.

Security experts strongly advise users to patch these holes as a worm or other threat may be written to attack vulnerable systems. It was a flaw in Microsoft's Internet Information Services that made the fast-spreading Code Red worm possible in July 2001.

The flaw resides in the Microsoft Data Access Components, which are used to connect databases running on Windows. The MDACs are included with Windows XP--though the vulnerability does not affect XP--Windows 2000, and Windows Millennium, and they're also found in Windows NT 4.0 Option Pack, as well as in Internet Explorer. Users running Windows 95 and 98 also may be vulnerable.

Additionally, Microsoft says it's working to patch another Internet Explorer vulnerability that was revealed last week on the security mailing list Bugtraq, now owned by Symantec Corp. This flaw, which affects users of Internet Explorer 5.5 and 6.0, and possibly those who use Outlook or Outlook Express, opens users to having their hard drives accessed or their systems hijacked if they visit Web sites designed to exploit this vulnerability. Microsoft wouldn't say exactly when a patch for this flaw would be made available.

Detailed information regarding the MDAC vulnerability, including the patch, is available in Microsoft Security Bulletin MS02-065 found at www.microsoft.com/security.