Three image-rendering flaws in the Windows operating system could put millions of Internet-connected users at risk of PC takeover attacks, Microsoft Corp. warned on Tuesday.

The flaws could be exploited via any software that displays images, including the widely used Microsoft Outlook, Microsoft Word and Internet Explorer programs.

The bugs are considered particularly dangerous because users could be at risk by merely browsing to a malicious rigged site with rigged image files, or by displaying images in the preview pane of an e-mail program.

Microsoft tagged the update as "critical," its highest severity, and urges Windows users to download and apply the patches immediately.

The flaws affect Windows 2000, Windows XP (including Service Pack 2) and Windows Server 2003.

According to the MS05-053 bulletin, the nastiest of the three is a remote code execution bug in the rendering of WMF (Windows Metafile) and EMF (Enhanced Metafile) image formats.

"Any program that renders WMF or EMF images on the affected systems could be vulnerable to this attack. An attacker who successfully exploited this vulnerability could take complete control of an affected system," the company warned.

The bulletin also addresses two separate unchecked buffers in the way the operating system renders EMF and WMF images.

Image-rendering vulnerabilities are deemed particularly serious because malicious hackers can simply place a rigged photograph on a Web site and trick users into visiting. By merely browsing to the malicious site, the user allows the attacker to execute harmful code to take complete control of an unpatched machine.

In the past, image-rendering bugs have been used in widespread attacks. In one case, a hacker broke into an ad server and successfully loaded exploit code on banner advertising served on hundreds of Web sites. European tech publisher The Register was among those affected.

The latest flaw was discovered by at least three private research teams and reported to Microsoft more than seven months ago.

eEye Digital Security, one of the research firms credited with finding the vulnerability, reported it to Microsoft on March 29, but a comprehensive fix was delayed for a long time because of the complicated nature of testing such an important update, according to Stephen Toulouse, a program manager in the MSRC (Microsoft Security Response Center).

"There's absolutely a good reason [for the delay]," Toulouse said in an interview with Ziff Davis Internet News. "The graphics rendering system is an extremely important component of the operating system. It's critical to functioning of operating system. Any time you make a change to such an important component, you absolutely have to ensure you're not introducing new problems."

Toulouse blamed the long delay on the rigid patch-testing procedures at Microsoft.

"We have to ensure that the update is of the highest quality so customers are confident enough to deploy it to protect themselves," Toulouse said.

Steve Manzuik, security product manager on the eEye research team, said the idea that a software company needs more than seven months to fix such a dangerous flaw is difficult to comprehend.

"To us, anything between 60 to 90 days is fair. They [Microsoft] have their own testing system that probably takes longer than that. They claim they need 60 days to do regression testing alone, but that does seem like a very long time," Manzuik said.

Microsoft's Toulouse objected to the idea that there's a deadline that determines whether a company is creating security fixes in a timely manner.

"In this case, we were making significant changes to the graphics rendering, which is a critical part of the operating system. These are very deep changes that affect multiple files. It becomes a quality issue because you want your customers to trust your updates," Toulouse said. "The update that customers won't deploy because they can't trust it, doesn't protect anyone. This is a very important issue for us."

However, eEye's Manzuik argued that it's a safe assumption that outside hackers are finding the same vulnerabilities and not reporting them to Microsoft.

"That's something you have to assume. In this case, there were two other companies reporting the same flaw. Who's to say we were the only three who found it?" Manzuik said.

Microsoft confirmed that code breakers at Symantec Corp. and Venustech AdDLab also reported the vulnerabilities.

Dave Cole, director of product management at Symantec Security Response, underscored the urgency attached to Tuesday's bulletin. He said possible attacks could occur through a malicious file on a Web site, an embedded file in a Microsoft Office document, or in an HTML e-mail.

"The variety of ways to initiate a possible attack makes this issue particularly potent. [We] recommend that users apply the update as quickly as possible and refrain from opening unknown attachments or clicking on suspicious links that arrive via e-mail or instant messages," Cole added.

In addition to addressing this vulnerability, Microsoft released the scheduled monthly update of its malicious software removal tool to add detection for several new virus variants, including Win32/Bugbear, Win32/Opaserv, Win32/Mabutu, Win32/Swen and Win32/Codbot.

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.

Copyright © 2005 Ziff Davis Media Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Media Inc. is prohibited.