Microsoft is investigating a newly reported flaw that could put websites at risk of attack.

The company has issued an advisory on the vulnerability, which affects Windows XP Professional SP2, Windows Server 2003, Windows Vista and Windows Server 2008.

The problem exists in Windows' handling of code within its Internet Information Services (IIS) and SQL Server.

If exploited, the vulnerability could allow a user to elevate access privileges to that of the LocalSystem administration tool.

Microsoft warned that companies that make extensive use of user-provided code, such as site hosts, are especially vulnerable.

Microsoft has yet to receive any reports of the vulnerability being targeted, but security experts have already warned of a possible attack.

"The vulnerability is limited to a local privilege escalation, but IIS' susceptibility is concerning," wrote McAfee researcher Karthik Raman.

"The web server is widely used on the internet, and is a top pick by web-hosting providers. We might see web-hosting providers targeted, and their clients' websites breached."

Microsoft is still investigating the reports and will make a decision on whether to issue a patch immediately or wait until its next scheduled security update on 13 May.