But users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights, Microsoft said.
However, the company said it is not aware of attacks that try to use the vulnerability or of customer impact.
The vulnerability is found in Windows XP, Windows Vista, Windows Server 2003 and Windows Server 2008, but not Windows 7.
The company said it is working with partners in its Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.
"Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs", it said.
The bug was presented as a case study at a recent hacking convention in Korea, according to Paul Ducklin, head of technology for the Asia Pacific for security firm Sophos.
A working exploit was recently added to the freely-available Metaspolit Framework by a developer named jduck, he wrote in a blog post.
"According to jduck, the vulnerability exists in code which processes a DIB (device-independent bitmap), allowing a "stack-based buffer overflow in the handling of thumbnails within .MIC files and various Office documents", he said.
"With Patch Tuesday just a week away, we can hope that it will be knocked on the head then", said Ducklin.