The unpatched flaw exists in Microsoft's Jet Database Engine, which can be exploited to execute arbitrary code by tricking users into opening a specially designed ".mdb" file in Microsoft Access, according to the Secunia advisory.
Exploit code for the vulnerability has already been posted to a public mailing list, the security company warns.
Microsoft believes that these sorts of things should be reported to the vendor first; any posting to a public mailing list carries the risk of the flaw being made into an exploit and used. Secunia has said that that was exactly what happened, and that Microsoft took no notice.
Secunia says the flaw was first reported by security firm HexView. HexView says it notified Microsoft of the vulnerability on March 30 and received no response. The software vendor declines to comment on the notification claim.