Security firm Secunia has found another flaw in Windows, this time in the Microsoft XML Core Services.

The flaw, which is located specifically in the XMLHTTP 4.9 ActiveX Control, allows hackers to gain control of PCs when users visit a malicious website using Internet Explorer. Secunia has rated it as “Extremely critical” as it’s already being exploited.

Microsoft has already responding by posting on the Security Response Team Centre blog and on it security site. It says that it’s aware of “limited” attacks but that a security update will be released, either in the monthly update or in an out-of-cycle release.

It affects people using Windows 2000 server products and 2000 Professional, as well as Server 2003 products, and XP Home and Professional editions.

Secunia has also previously reported what it claims are two flaws in IE7 shortly after the application was released; Microsoft countered that one was actually a bug in Outlook, not in IE7.