Microsoft is warning of an unpatched vulnerability in its Windows Graphics Rendering Engine, which supports image formats, that could lead to remote code execution.

The flaw can enable an attacker to install malicious programs, access data or create accounts with full user rights, according to an advisory released Tuesday.

“To target this vulnerability, an attacker must convince a user to visit a specially crafted malicious web page, or to open a malicious Word or PowerPoint file,” Angela Gunn, senior marketing communications manager for Microsoft Trustworthy Computing, wrote on a company blog post. “Furthermore, users whose accounts are configured to have fewer user rights on the system would be less affected by an attack then those running with administrative rights.” 

The bug was revealed at a Korean hacker conference in mid-December, said Paul Ducklin, head of technology for the Asia-Pacific region at anti-virus firm Sophos. Exploit code has been added to the Metasploit hacking toolkit.

In its advisory, though, Microsoft said it was not aware of any in-the-wild attacks or customer impact.

The software giant is working on a fix. Its next round of patches are due out Tuesday.