Danish company Secunia posted details of the alleged flaw, which could be used in combination with an earlier "spoofing" flaw reported by the company.
Microsoft representatives did not immediately respond to a request for comment.
The new flaw could allow the owner of a malicious Web site to deliberately misidentify a downloadable file, so a malicious program file could be made to appear as if it were a secure file. Visitors might think they were downloading a document based on Adobe's portable document format (PDF), for instance, but actually receive a malicious, self-executing program such as the new MyDoom worm.
Secunia's advisory includes an online test showing how the flaw could be exploited. The company said it identified the hole in the current version 6 of Internet Explorer, but previous releases also could be affected. Secunia representatives did not immediately respond to a request for comment.
The alleged flaw could be particularly effective if used in combination with another IE hole identified by Secunia last month. That flaw lets Web site owners disguise the identity of their site by displaying a false address in the Internet Explorer address and status bars.
Microsoft has yet to release a patch for that vulnerability, although it has posted a bulletin with tips for avoiding such "spoofed" sites. Among the tips are not clicking hyperlinks. "Rather, type the URL of your intended destination in the address bar yourself," Microsoft advises.
Microsoft's delay in addressing that flaw has drawn criticism from security experts and led an open-source programming group to create its own patch for the flaw.
Microsoft last year instituted a new policy for patching security holes, deciding to cluster fixes in a single monthly release rather than distributing piecemeal updates.
