Beau Butler, who discovered the flaw, says the flaw is an old one that was apparently only partially fixed five years ago.
The software giant confirmed the issue was serious and asked this newspaper not to publish the details over fears they could be used by cyber criminals to seize control of workstations.
Microsoft's engineers in Australia and the US scrambled to replicate and confirm the issue, with the security team working over this week's Thanksgiving holiday to begin work on a fix.
"Now that we understand the issue we're researching comprehensive mitigations and workarounds to protect customers," Microsoft's general manager of product security, George Stathakopoulos, said by email.
The flaw is an old one, first exposed and apparently fixed more than five years ago. But it appears Microsoft's fix was only partially effective.
The problem affects all versions of Windows, including the company's most recent release, Vista software. However, it does not affect every Windows computer, Mr Stathakopoulos said. It depends on how it is configured.