The vulnerability exists on the program's Windows 98, 98 Second Edition, ME, 2000 Service Pack 4 and XP Service Packs 1 and 2.
The Redmond, Wash., company said the issue was initially reported in May, but as a stability issue that caused the browser to close.
"Since then, new information has been posted that indicates remote code execution could be possible. Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk," the company said on its website.
Advising users to be careful opening links in emails, Microsoft said a malicious user would have to use social engineering to lure a user to a harmful website.
"In a web-based attack scenario, an attacker would have to host a website that contains a webpage that is used to exploit this vulnerability," Microsoft said. "An attacker would have no way to force users to visit a malicious website. Instead, an attacker would have to persuade them to visit the website, typically by getting them to click a link that takes them to the attacker's website."
Microsoft's next "Patch Tuesday" distribution is scheduled for Dec. 13.
An advisory on the U.S. Computer Emergency Readiness Team website also told users not to trust unsolicited links and to disable active scripting.
"Disabling Active scripting in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this vulnerability," the agency warned.
Secunia said the vulnerability, discovered by Benjamin Tobias Franz, "is caused due to certain objects not being initialized correctly when the window() function is used in conjunction with theevent."