The vulnerability has the potential to enable a hacker to execute code on a user’s machine if that user is persuaded to view a specifically crafted WMF, either by visiting a website or clicking on a link contained in a malicious email. The hole uses images to execute malicious code, meaning code can be potentially executed just by viewing an image. ICS warned even images stored on a user’s PC may cause the exploit to be triggered.

Security specialists at the Internet Storm Center (ISC) are pointing customers running Windows XP Services Pack 1, SP2, Windows Server 2003 and Windows Server 2003 SP 1 to two fixes for a previously unknown vulnerability in the Windows MetaFile (WMF). Users waiting for Microsoft to respond must wait until the company’s regularly scheduled January 10 software update - called black Tuesday - for a WMF fix - nearly two weeks after the vulnerability was first confirmed.

PCs running old operating systems, such as Windows 98, will not receive an update as they now exceed Microsoft’s support cycle.