Updated 11:15 a.m. PST with more information, security expert comments.
Microsoft on Tuesday issued patches for critical holes in all supported versions of Windows that could allow an attacker to take over a system by executing code remotely if the user viewed a maliciously crafted image file.
The patch for Windows 2000, XP, Vista, Server 2003, and Server 2008, plugs a vulnerability (MS09-006) that affects images created with the Enhanced MetaFile (EMF) or Windows MetaFile (WMF) display formats, according to Microsoft's advisory.
"An attacker can send you an e-mail with an infected image in it or you can go to a Web site with an infected image or get it elsewhere, from a thumbdrive," said Wolfgang Kandek, chief technology officer of Qualys, which helps companies with security risk and compliance.
Attackers can also disguise .WMF and .EMF files as other image file types, such as .JPG, in order to sneak them past cautious users, said Alfred Huger, vice president of development at Symantec Security Response.
Also patched on Patch Tuesday were two holes rated "important" that affected the same systems and which could be used by an attacker to masquerade as someone else in a spoofing attack.
One of the important patches, which affects Windows 2000, Server 2003, and Server 2008, resolves two privately reported vulnerabilities and two publicly disclosed vulnerabilities in Windows DNS server and Windows WINS (Windows Internet Name Server). The holes could allow an attacker to redirect network traffic intended for systems on the Internet to a malicious site, according to the advisory.
The second important patch, which affects all supported versions of Windows, (MS09-007) resolves a vulnerability in the Secure Channel security package in Windows. It could allow an attacker to gain access to the certificate used by the end user for authentication. Customers are affected only when the public key component of the certificate used has been accessed by some other means, Microsoft said.
Kandek of Qualys said the risk is minimized by the fact that not many corporations seem to use the technology involved much.
Microsoft has yet to provide a fix for a security vulnerability in Excel from last month,or a zero-day from December.