Just days after Microsoft patched a critical vulnerability in the way the Windows operating system renders certain types of graphics files, a hacker has published details of two new flaws that affect the same part of the operating system.The new vulnerabilities were posted to the Bugtraq security mailing list on Monday by a hacker going by the name of “cocoruder.” All three flaws concern the way Windows renders images in the Windows Metafile (WMF) format used by some CAD (computer-aided design) applications, but these latest flaws are far less serious than the vulnerability that Microsoft patched last week, according to security experts. That vulnerability was serious enough to cause Microsoft to take the unusual step of releasing an early patch to the problem, ahead of its monthly security software update.While the patched flaw was being exploited by attackers to take control of Windows machines, the latest vulnerabilities appear to pose the risk of simply crashing the WMF-viewing software, typically Internet Explorer. However, users would first need to trick a victim into viewing a specially crafted WMF image in order for this to happen, security experts say.The vulnerabilities can be found in a number of versions of Windows, including Windows XP, Service Pack 2, Windows Server 2003, Service Pack 1, and Windows 2000, Service Pack 4, according to cocoruder’s Bugtraq posting. Johannes Ullrich, chief research officer for the SANS Institute, said that these type of image problems are fairly common, but he said that the fact that so many WMF vulnerabilities have popped up of late — Microsoft fixed three other WMF bugs in November — indicates that the software vendor could be doing a better job of predicting where its security problems might lie.Microsoft should have been able to catch these latest flaws and fix them with its November patch, Ullrich said. “They really seem to have a problem thinking offensively,” he said of Microsoft. “If you don’t really look for these vulnerabilities with this offensive mindset, but if you instead look at it from a programmers perspective … you just don’t find a lot of these things.””Every month they have one or two image problems they fix,” Ullrich added. “It’s actually kind of surprising they don’t get exploited more.”A spokeswoman from Microsoft was unable to provide comment for this story. –Robert McMillan, IDG News Service Related content news Multibillion-dollar cybersecurity training market fails to fix the supply-demand imbalance Despite money pouring into programs around the world, training organizations have not managed to ensure employment for professionals, while entry-level professionals are finding it hard to land a job By Samira Sarraf Oct 02, 2023 6 mins CSO and CISO CSO and CISO CSO and CISO news Royal family’s website suffers Russia-linked cyberattack Pro-Russian hacker group KillNet took responsibility for the attack days after King Charles condemned the invasion of Ukraine. By Michael Hill Oct 02, 2023 2 mins DDoS Cyberattacks feature 10 things you should know about navigating the dark web A lot can be found in the shadows of the internet from sensitive stolen data to attack tools for sale, the dark web is a trove of risks for enterprises. Here are a few things to know and navigate safely. By Rosalyn Page Oct 02, 2023 13 mins Cybercrime Security news ShadowSyndicate Cybercrime gang has used 7 ransomware families over the past year Researchers from Group-IB believe it's likely the group is an independent affiliate working for multiple ransomware-as-a-service operations By Lucian Constantin Oct 02, 2023 4 mins Hacker Groups Ransomware Cybercrime Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe