Microsoft has issued a security advisory warning about an unpatched security hole in Windows that is actively being exploited by online criminals. 

Attackers are using a flaw in the way that Windows handles the .wmf (Windows Metafile) graphic file format. A specially crafted .wmf image placed on a website or sent through a spam email could allow the criminal to execute code on a user's system.

The arbitrary code execution lets the attacker install spyware or recruit a system for a zombie network, a collection of computers used for online crimes including sending spam or launching distributed denial of service attacks.

Microsoft urged users to update their antivirus software, and said that it is investigating the issue.

A patch is being developed which will be released either through Microsoft's monthly patch cycle on the second Tuesday of the month or as an out-of-cycle security update.

Security firm Secunia gave the vulnerability its highest severity ranking of 'extremely critical'.

Security firm F-Secure said on its blog that it has seen at least three different computer worms that exploit the security hole. The company refers to the worms as W32/PFV-Exploit.A, .B and .C. The threats are being spread by spam email messages and through several websites.

Users of Microsoft's Internet Explorer are automatically infected when they visit a webpage hosting an infected image. Firefox will first ask the user before opening the file. If the user approves, the PC will be infected.

The US Computer Emergency Readiness Team described several workarounds on its website that will mitigate but not eliminate the risk until Microsoft releases a patch.

The workaround includes avoiding .wmf files from untrusted sources and resetting the file association, or opening the files with an application other than Windows Picture and Fax Viewer.