Malicious code that exploits a new hole in MSN Messenger has been published on the Internet. Security experts have warned it could soon result in a worm or virus.

The code attacks a vulnerability in Messenger's "libpng" component which is used to display PNG image and icon files. More than one example of code to exploit the hole is now available on the Internet, along with directions on how to use it to attack vulnerable Messenger applications. The code can cause Messenger to crash, or allow a remote attacker to run code on vulnerable Windows machines, according to a Vulnerability Alert released by Symantec.

On Tuesday, Microsoft released a critical patch, MS05-009, that fixed several holes in libpng for the PNG hole.

When a Messenger user initiates a conversation with an IM contact, an "avatar" PNG image is transmitted over the same communication channel used to exchange text messages. By sending a specially crafted PNG image, an attacker can trigger a buffer overflow and execute arbitrary code on the chat partner's system, according to Max Caceres, director of product management Core Security Technologies in Boston. Researchers at Core Security discovered the hole and reported it to Microsoft in August, he said.

In buffer overflow attacks, malicious hackers flood temporary data storage areas on a computer with more information than they were intended to hold. Extra information, such as attack code, overflows into other areas of the computer's memory, overwriting other data and causing the system to crash or begin running the attacker's code. "It's a very serious vulnerability. If you're a Messenger user, anyone on the network can take control of your machine without you knowing about it," Caceres said.

One example of exploit code, published on K-OTik Security's website, affects MSN Messenger 6.2 and works on Windows 2000 and Windows XP systems that are running vulnerable versions of MSN Messenger. The exploit code could be used by a remote attacker to download a Trojan horse program or other malicious code to vulnerable systems, according to its author, who goes by the online name ATmaCA.