The security company urged users to apply the GDI patches pronto if they have not done so already. "These attack attempts highlight the severity of this issue and it is only a matter of time before new images that successfully trigger the issue are observed in the wild," Symantec concluded.
Ironically, the only version of Windows not vulnerable to attack is XP SP3, the still-not-released final update to the aged operating system. Hidden in the MS08-021 security bulletin was the sentence: "Windows XP SP3 is not affected by this vulnerability."
Windows XP SP3's release date remains a mystery. Although Microsoft has not budged from its "first half of 2008" public statements, others have speculated that the service pack will wrap up later this month. One website, which correctly predicted release dates for Vista SP1, has pegged XP SP3's roll-out as coming in the second half of April.
Microsoft's GDI patches can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.