At least two unofficial patches have been made available for millions of users running Windows left hanging by the latest serious security vulnerability to hit Microsoft's operating system.

Security specialists at the Internet Storm Center (ICS) (http://isc.sans.org/diary.php) are pointing customers running Windows XP Services Pack 1, SP2, Windows Server 2003 and Windows Server 2003 SP 1 to two fixes for a previously unknown vulnerability in the Windows MetaFile (WMF).

Users waiting for Microsoft to respond must wait until the company’s regularly scheduled January 10 software update - called black Tuesday - for a WMF fix - nearly two weeks after the vulnerability was first confirmed.

PCs running old operating systems, such as Windows 98, will be left out in the New Year cold entirely, as they now exceed Microsoft's support cycle.

The vulnerability has the potential to enable a hacker to execute code on a user’s machine if that user is persuaded to view a specifically crafted WMF, either by visiting a website or clicking on a link contained in a malicious email.

The hole uses images to execute malicious code, meaning code can be potentially executed just by viewing an image. ICS warned even images stored on a user's PC may cause the exploit to be triggered.

Despite being judged serious by Microsoft, the company has decided that customers must wait until January's scheduled batch of software updates to receive the WMF fix.

In a statement timed to coincide with Tuesday's post-Christmas and New Year return to work, Microsoft said: "Although the issue is serious and malicious attacks are being attempted, Microsoft's intelligence sources indicate that the scope of the attacks are not widespread."

The delay is apparently due to the need for third-parties to test their own software with Microsoft's patch, the company said. In the meantime, aside from using the unofficial Windows patches, users are advised to un-register the related DLL and keep their anti-virus software up-to-date.®

Related stories

MySpace adware attack hits hard (21 July 2006)
http://www.channelregister.co.uk/2006/07/21/myspace_adware_attack/
eEye issues workaround against unpatched IE flaw (28 March 2006)
http://www.channelregister.co.uk/2006/03/28/eeye_ie_workaround/
Seven patches for St Valentine's patch Tuesday (15 February 2006)
http://www.channelregister.co.uk/2006/02/15/ms_patch_tuesday/
Third XP Service Pack slips to boost Vista sales tools (18 January 2006)
http://www.channelregister.co.uk/2006/01/18/windows_xp_sp3_delay/
Windows support program bent to fit (12 January 2006)
http://www.channelregister.co.uk/2006/01/12/windows_support_security/
Microsoft backtracks on WMF patch (6 January 2006)
http://www.channelregister.co.uk/2006/01/06/microsoft_wmf_vulnerability_patch/
Windows beats Linux - Unix on vulnerabilities - CERT (5 January 2006)
http://www.channelregister.co.uk/2006/01/05/windows_linux_unix_security_vulnerabilities/
Sophos appoints new CEO (4 January 2006)
http://www.channelregister.co.uk/2006/01/04/sophos_ceo/
World+dog scrambles to fight Windows flaw (3 January 2006)
http://www.channelregister.co.uk/2006/01/03/wmf_workaround/
Trojan alert over unpatched Windows flaw (29 December 2005)
http://www.channelregister.co.uk/2005/12/29/wmf_trojan_alert/
MS releases IE überpatch (14 December 2005)
http://www.channelregister.co.uk/2005/12/14/ie_uberpatch/
MS anti-virus beta. Hmmm... (2 December 2005)
http://www.theregister.co.uk/2005/12/02/letters/
Linspire will replace Windows with crippled Linux - cheap (4 November 2005)
http://www.channelregister.co.uk/2005/11/04/lindows_everywhere_practially_free/