The vulnerability is in the File Transfer Manager (FTM) program which Microsoft offers to its developers and volume-licence customers. Microsoft said it believes that only a small number of its customers are affected by the flaw.
The vulnerabilities are both the result of flaws in ActiveX controls included in versions released before File Transfer Manager 4.0, said security researcher Andrew Tereschenko.
The first hole, which can be exploited via a buffer overflow, could allow virtually any Web site to install an ActiveX control on a user's computer, Tereschenko said.
The second vulnerability exploits a man-in-the-middle attack - in which the attacker intercepts traffic between a host and the target PC - to download or upload any file from or to an affected PC.
Tereschenko disputed Microsoft's claim that only a small number of customers are affected by the flaw. The vulnerabilities could allow an attacker to take over affected systems.
Microsoft has urged users of File Transfer Manager to upgrade their software to version 4.0. The new version of the software is available at transfers.one.microsoft.com/ftm/install.
Security research firm Next Generation Security Software announced it has also discovered a vulnerability in Microsoft's SQL Server 7 and 2000 that could allow a user with low access privileges to overwrite files in the database.
The vulnerability exists in the SQL Server agent, a helper component used to restart the database service on SQL Server if it stops, NGSoftware said. Because the agent can accept jobs from low-privileged users by default, an attacker could create a specially crafted query that can, in some cases, cause the agent to overwrite files on the server, the group said.
NGSSoftware said that it had notified Microsoft of the problem in July, but the company has not yet released a patch.
SQL Server should be configured to disallow low-privileged users access to the job procedures to prevent the problem, NGSSoftware said.
The alert and more information on the work-around can be found at www.nextgenss.com/advisories/mssql-jobs2.txt.