At least two unofficial patches have been made available for millions of users running Windows left hanging by the latest serious security vulnerability to hit Microsoft's operating system.

Security specialists at the Internet Storm Center (ICS) are pointing customers running Windows XP Services Pack 1, SP2, Windows Server 2003 and Windows Server 2003 SP 1 to two fixes for a previously unknown vulnerability in the Windows MetaFile (WMF).

Users waiting for Microsoft to respond must wait until the company’s regularly scheduled January 10 software update - called black Tuesday - for a WMF fix - nearly two weeks after the vulnerability was first confirmed.

PCs running old operating systems, such as Windows 98, will be left out in the New Year cold entirely, as they now exceed Microsoft's support cycle.

The vulnerability has the potential to enable a hacker to execute code on a user’s machine if that user is persuaded to view a specifically crafted WMF, either by visiting a website or clicking on a link contained in a malicious email.

The hole uses images to execute malicious code, meaning code can be potentially executed just by viewing an image. ICS warned even images stored on a user's PC may cause the exploit to be triggered.

Despite being judged serious by Microsoft, the company has decided that customers must wait until January's scheduled batch of software updates to receive the WMF fix.

In a statement timed to coincide with Tuesday's post-Christmas and New Year return to work, Microsoft said: "Although the issue is serious and malicious attacks are being attempted, Microsoft's intelligence sources indicate that the scope of the attacks are not widespread."

The delay is apparently due to the need for third-parties to test their own software with Microsoft's patch, the company said. In the meantime, aside from using the unofficial Windows patches, users are advised to un-register the related DLL and keep their anti-virus software up-to-date.®