Microsoft is warning that exploit code could exist for an unpatched flaw in Internet Explorer.

In an advisory it is warning of a flaw in its DDS Library Shape Control software, which is used by components such as Visual Studio. Any browser viewing a specially crafted web page could be crashed in such a way as to allow a hacker to insert and run code on the user's PC.

"Internet Explorer will attempt to instantiate any COM object that is referenced by a web page," warned the United States Computer Emergency Readiness Team (US-CERT).

"COM objects that are not ActiveX controls may cause unexpected results, such as crashing Internet Explorer. The Microsoft DDS Library Shape Control COM object crashes in a way that can be exploited to execute arbitrary code on a vulnerable system."

The DDS Library Shape Control software is not included in Microsoft software automatically, but forms a part of Microsoft Visual Studio .NET 2002, Microsoft Visual Studio .NET 2003, Microsoft Office Professional 2003 and Microsoft Office XP.

Microsoft has criticised the way this vulnerability has been published without giving it time to develop a patch. French security researchers FrSIRT discovered the vulnerability in response to an anonymous tip-off.

"Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk," said the company in a statement.

"We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests."

It has included five possible workarounds for the flaw in the advisory and is developing a patch for the problem.