Microsoft is investigating three new unpatched Windows flaws that security researchers have described as highly critical. The flaws, which were revealed publicly on the Bugtraq security mailing lists over the holiday weekend, were first reported by a group of security researchers from China called Xfocus.
The three flaws exist in the LoadImage API (application programming interface), the Windows animated cursor (*.ani) file type, and in the Windows Help parser, respectively. All three are present in all modern Windows versions, including Windows Server 2003, Windows XP, Windows NT 4.0, and Windows 2000. However, Windows XP Service Pack 2 (SP2), which is widely acknowledged as the most secure client version of Windows Microsoft has yet made, is only susceptible to two of the three flaws.
Like previous image format-based vulnerabilities, the LoadImage-based flaw could be exploited by a malicious Web page or HTML email that displays a specially-made image file, icon, or cursor. Victims could find their machines remotely controlled by hackers.
The animated cursor flaw can be used to crash or freeze a victim's machine, security researchers say. This particular flaw does not affect XP SP2. The final flaw, involving the way Windows parses help files, triggers a buffer overflow error that could help hackers remotely control a PC. However, you would have to open a malicious help file via the Internet or email for the flaw to be exploited.
Security researchers at Secunia have described the flaws as "highly critical" and are advising users not to visit untrusted Web sites. For its part, Microsoft says it is investigating the flaws, but the software giant also voiced its concern that Xfocus publicly revealed the flaws before alerting them. "Microsoft is disappointed that Xfocus took actions that could put computer users at risk by not following the commonly accepted industry practice of privately reporting security vulnerabilities to software vendors," a Microsoft spokesperson said. The company says that no know exploits for these vulnerabilities currently exist, but that it will release fixes for these flaws as soon as possible.