A critical and unpatched hole has been found in Microsoft's Windows Media Player.

The flaw, which affects versions 9 and 10 of the ubiquitous software, could allow a malicious hacker to run unauthorised software on a victim's PC or cause a denial of service attack, according to security company FrSIRT, which rated the problem critical.

The flaw is due to a buffer overflow error that can occur when Windows Media Player is used to run ".asx" media files, according to a warning from eEye.

Such files open automatically in a Web browser, meaning a hacker would need only to post an infected .asx file in a Web page and then try to lure users to visit the page, eEye Digital said. An infected file could also be sent via email, in which case users would need to be persuaded to open it.

Microsoft said an initial investigation revealed that the "proof of concept" code could allow an attacker to execute code on a user's machine. It said it was unaware of any attempts to exploit the vulnerability, and it was unclear Friday morning if the proof of concept code it referred to was in the hands of hackers.

Users can protect against the vulnerability in Internet Explorer by preventing it from opening .asx files automatically. Turning off Active Scripting would also greatly reduce, but not eliminate, the risk, Microsoft said. FrSIRT also recommended that users upgrade to Windows Media Player 11, which it said is not affected.

Microsoft is determining whether it needed to issue an "out of cycle" security fix for the problem or patch it with its next monthly software update.

The flaw was originally reported on 22 November, when it was identified only as a denial-of-service issue. Some discussion boards described the problem as a "zero-day exploit", although it was unclear if that was the case. Zero-day exploits occur when exploit code is released on the same day that a flaw is uncovered, giving users no time to protect themselves.