The flaw affects users of Windows NT's Internet Information Server 4.0 and Windows 2000's Internet Information Server 5.0, the company said.
The vulnerability originated from a flaw that makes the software run an extra security check each time a user requests a URL, or an Internet address. If a hacker knew what to look for, that person could use that second check as a window to break into the system.
The patch released by Microsoft on Monday fixes that and all other security flaws found since the Internet server software was released.
The flaw isn't as serious as the one in the Internet Information Server's printing software that was made public two weeks ago, security experts say, because it doesn't automatically give administrative control to the hacker. Microsoft previously released a downloadable patch to fix that problem.
But Shawn Hernan, team leader for vulnerability handling at CERT Coordination Center, an Internet security research center affiliated with Carnegie Mellon University, said it is serious in that it is a very simple hack to execute.
"It is the kind of vulnerability that is easily exploited and it affects a very popular product," he said.
Microsoft is urging users to get the patch immediately.
"Every security vulnerability should be taken seriously, particularly when it involves Web servers, because they're right on the front line," said Scott Culp, Microsoft security program manager.