The Redmond, Wash., computing giant released a security update for the Vista OS on Friday, following up an emergency, out-of-cycle fix on Jan. 5 and its routine Patch Tuesday bulletin last week. The final version of Vista is a year away from release.
The WMF vulnerability, which had been previously patched for older Microsoft OSs, allowed a malicious user to take control of a PC by tricking a user into viewing a corrupted image file. The patch was deemed "critical" by Microsoft.
"A remote code execution security issue has been identified in the graphics rendering engine that could allow an attacker to remotely compromise your Windows-based system and gain control over it," Microsoft said on its website.
Mike Nash, corporate vice president for security, said this month that the computing giant wanted to make sure that the update would meet quality goals before its distribution. The company first advised users last month to maintain antivirus services and apply the work-around it recommended.
Prior to the release, malicious users set up attack websites to exploit the image vulnerability, from which they can execute arbitrary code, cause a denial of service condition or take complete control of an infected PC, the U.S. Computer Emergency Readiness Team and multiple security firms warned late last month.
The vulnerability was built into metafiles in the 1980s to improve usability in considerably slower PCs.
Russ Cooper, senior information security analyst for Cybertrust, said such an issue on a beta program isn't unusual, saying it's one reason "why it's in beta."