For the second week in a row, independent security researchers have fixed a hole in Microsoft's software.
On Friday, Determina published a free patch for a critical bug in an ActiveX control (called WebViewFolderIcon) that is used by Windows' graphical user interface. That patch can be found here.
Security experts consider the flaw to be critical because it could be exploited by attackers to run unauthorised code on a victim's PC. To make this happen, the victim would have to visit a website with IE (Internet Explorer) and allow it to run a malicious ActiveX control.
Security researcher HD Moore published details of the bug on 18 July, but he recently added attack code that exploited the flaw to his widely used Metasploit hacking toolkit. Determina says that the availability of the Metasploit code has boosted the risk of attacks.
There seems to be no shortage of Windows attacks recently.
Last Tuesday, Microsoft issued a rare emergency patch for a separate problem in Outlook and IE's VML (Vector Markup Language) rendering engine, after that flaw was widely exploited by attackers. And criminals have also launched extremely limited attacks that exploit an unpatched flaw in PowerPoint.
The VML flaw had first been fixed four days ahead of Microsoft's patch by a group of security researchers calling themselves the Zeroday Emergency Response Team.
This latest bug is not likely to be as widely exploited as the VML vulnerability, Moore said. "This bug is not as severe as the VML flaw, since it depends on ActiveX, and would not be exploitable by default through Outlook," he said in an email.
Nevertheless, Microsoft found the issue to be serious enough to merit a security advisory, published last Thursday.
Microsoft plans to patch the WebViewFolderIcon flaw in its next scheduled set of security updates, due on 10 October.
So far, Microsoft doesn't know of "any attacks attempting to use the reported vulnerability or of customer impact at this time", the security advisory states.
Microsoft does not recommend that users install third-party patches, because it says this software has not gone through the rigorous quality assurance testing process that the firm applies to its security updates.
Determina's patch works on Windows 2000, XP and 2003 systems.