Microsoft is investigating three new unpatched Windows flaws that security researchers have described as highly critical. The flaws, which were revealed publicly on the Bugtraq security mailing lists over the holiday weekend, were first reported by a group of security researchers from China called Xfocus. The three flaws exist in the LoadImage API (application programming interface), the Windows animated cursor (*.ani) file type, and in the Windows Help parser, respectively. All three are present in all modern Windows versions, including Windows Server 2003, Windows XP, Windows NT 4.0, and Windows 2000. However, Windows XP Service Pack 2 (SP2), which is widely acknowledged as the most secure client version of Windows Microsoft has yet made, is only susceptible to two of the three flaws. Like previous image format-based vulnerabilities, the LoadImage-based flaw could be exploited by a malicious Web page or HTML email that displays a specially-made image file, icon, or cursor. Victims could find their machines remotely controlled by hackers.