On the same day Microsoft assured consumers it could protect their PCs, it owned up to two new security problems, one of which was yet another issue with Windows Metafile (WMF) images, the flaw that sent users scrambling in late December and early January.
On Tuesday, Microsoft released a pair of security advisories in response to an out-in-the-wild tool that can escalate attackers' privileges, and a new WMF hole in older versions of Internet Explorer.
The IE problem, said Microsoft in the advisory, is yet another in a long list of Windows Metafile vulnerabilities, but affects only IE 5.01 and IE 5.5, two aged versions that by one Web metrics vendor's estimate, accounted for just 2.3 percent of all browsers used in January.
The bug is similar to the zero-day vulnerability which went so wild in late 2005 that users rushed for an unauthorized patch before Microsoft finally went out-of-cycle to fix the flaw. As in the earlier scenario, hackers could use this new one to craft malicious WMF images, then plant them on Web sites or deliver them by e-mail, to grab control of PCs.
Users of IE 5.01 and 5.5 should upgrade to IE 6.0, which is not vulnerable to the new bug.