The software giant is investigating a report on the security site Bugtraq concerning problems with the way Internet Explorer handles digital certificates. If the flaw is confirmed, users will have to upgrade every copy of Internet Explorer on their site to fix the problem.
"As soon as the investigation is complete we will know the best way to protect our customers," a spokesperson for Microsoft said.
The loophole could allow hackers to create a spoof e-commerce site and capture user names, passwords and credit card numbers. However, "the scenario proposed would be difficult to pull off successfully," the spokesperson added.
News of the potential problem could prove a major embarrassment for Microsoft after last week's settlement with the US Federal Trade Commission following allegations of poor security in Microsoft's Passport authentication service.
In a posting on the Bugtraq site, Mike Benham, who found the hole, said that by using his own digital certificate signed by a certification authority (such as VeriSign) he would be able to circumvent the strong security provided by SSL (secure socket layer) within Internet Explorer.
He said his certificate could be made to look like it belonged to another Web site. "I would consider this to be incredibly severe. Any of the standard connection hijacking techniques can be combined with this vulnerability to produce a successful man in the middle attack," he said.
Richard Brain, technical director at ProCheckUp, which runs a penetration testing service, said the flaw could allow a hacker to spoof an e-commerce site. "A hacker could generate their own certificate and imitate Amazon," he said.
The security hole occurs as a result of a problem in the way Internet Explorer handles digital certificates. Certificates provide users on the Internet with a means to confirm the Web site they log into is genuine.
A bug in the way the certificates are checked within Internet Explorer means it is possible to substitute genuine certificates with a fake, said Benham.