The vulnerability has been labelled "highly critical" by security firm Secunia. It exists in Microsoft's Jet Database Engine, and can be exploited to execute arbitrary code by tricking users into opening a specially designed ".mdb" file in Microsoft Access, according to Secunia. Exploit code for the vulnerability has already been posted to a public mailing list, the security company has warned.
Microsoft criticised disclosure of the vulnerability, saying that the commonly accepted practice is to report a threat to the vendor first so a patch can be developed if necessary before the exploit code gets distributed.
Secunia said the flaw was first reported by security firm HexView. HexView said it notified Microsoft of the vulnerability on 30 March but received no response. In fact, HexView received an automated response but did not consider that sufficient to attach its 30-day disclosure policy.
For more information see HexView's advisory here.