A flaw in Microsoft's Windows Meta File has spawned dozens of attacks since its discovery last week, security experts warned Tuesday.

The attacks so far have been wide-ranging, the experts said, citing everything from an MSN Messenger worm to spam that attempts to lure people to click on malicious Web sites.

The vulnerability can be easily exploited in Windows XP with Service Pack 1 and 2, as well as Windows Server 2003. Older versions of the operating system, including Windows 2000 and Windows ME, are also at risk, though in those cases the flaw is more difficult to exploit, said Mikko Hypponen, chief research officer at F-Secure.

"Right now, the situation is bad, but it could be much worse. The potential for problems is bigger than we have ever seen," Hypponen said. "We estimate 99 percent of computers worldwide are vulnerable to this attack."

The Windows Meta File flaw uses images to execute arbitrary code, according to a security advisory issued by the Internet Storm Center. It can be exploited just by the user viewing a malicious image.

Microsoft plans to release a fix for the WMF vulnerability as part of its monthly security update cycle on Jan. 10, according to the company's security advisory.

Although Microsoft has not yet released a patch, security vendors such as F-Secure and the Internet Storm Center are noting Ilfak Guilfanov, a Russian security engineer, has released an unofficial fix that has been found to work.

http://news.com.com/Windows+flaw+spawns+dozens+of+attacks/2100-7349_3-6016140.html?part=rss&tag=6016140&subj=news