Just when Microsoft has declared its intent to further focus on improving the security of its products this year, a major flaw has been found in its operating system.

Microsoft Windows has been found to be vulnerable to remote code execution via an error in handling files using the operating system's metafile image format. Hackers have posted the exploit code online and this has been used to successfully attack fully-patched Windows XP SP2 systems, according to a report by the US Computer Emergency Readiness Team (US-Cert). Other versions of the Windows operating system may be at risk as well. Microsoft Windows Metafiles are image files that can contain both vector and bitmap-based picture information. Microsoft Windows contains routines for displaying various Windows Metafile formats. However, a lack of input validation in one of these routines may allow a buffer overflow to occur, and in turn may allow remote arbitrary code execution.

A remote, unauthenticated attacker may be able to execute arbitrary code if the user is persuaded to view a specially crafted Windows Metafile. Not all anti-virus software products are currently able to detect all known variants of exploits for this vulnerability. While everyone is waiting for Microsoft to issue a patch, the company has issued a workaround solution to the problem. This is done by disabling or remapping Windows Metafile files to open a program other than the default Windows Picture and Fax Viewer. Go to www.microsoft.com/technet to learn how to complete the procedure.

The blow to Microsoft comes at a time when the giant is responding to consumers' concerns about its previous lack of care about the security gaps in its software. Microsoft pledged last year to be more open and responsive about vulnerabilities.The new approach includes technology investments, prescriptive guidance, education and industry partnerships. The company said its holistic approach has resulted in a reduction in vulnerabilities found in Microsoft Windows Server 2003 from 84 to 49 compared to the previous version. This year also marked a new wave of products developed under the new process. These included Visual Studio2005, SQL Server 2005, and BizTalk Server 2006 Beta 2.

Microsoft introduced a series of improved software updating tools throughout the year, and implemented a software update validation program. Microsoft has also acquired Sybari Software and announced a program to develop anti-spyware tools, a comprehensive approach to virus protection and centralised management capabilities for laptops,desktops and servers in business systems. The company also released the first beta of Windows Anti Spyware ? the most popular download in Microsoft's history. Microsoft plans to continue on the momentum from 2005. One major element will be the forthcoming release of Windows Vista. Customers of the Windows Vista platform will experience security improvements in everything from user account control, better support for smart cards, enhanced firewall protection, and improved security and privacy capabilities in Microsoft Internet Explorer 7.0. Customers will also benefit from enhanced information protection functionality in Windows Vista such as BitLocker Drive Encryption, a hardware-based feature that addresses the growing concern over corporate and customer data on lost or stolen machines. An analysis published by F-Secure found that in the second half of the year the virus count continued to rise with alarming force, increasing from 110,000 to approximately 150,000 by the end of the year.

At the same time, however the trend towards mass assaults using network worms dropped significantly with only two major outbreaks, one in September, with the Zotob worm causing larger disruptions internationally. A second a worm called Sober. Y flooded e-mail systems in late November. Earlier, the Zafi. D worm also made the headlines.

It was also a year characterised by a spate of criminal phishing attempts either directly to online banking customers. These attacks yielded high profits to the malware authors. Some people also made money by exploiting man-made and natural disasters. The number of malware targeted at mobile phone users exceed the 100 mark last year ? growing proof that the criminal bodies behind their creation are serious in their attempts to exploit this new arena.