Microsoft Hurries Fix for Cursor Flaw

Microsoft announced the early release of a patch that will eliminate an increasingly dangerous Windows flaw from users’ PCs — a full week before the company’s scheduled monthly “Patch Tuesday” cycle.

The software giant’s move to fix the vulnerability on Tuesday was provoked by an increasing number of hackers who stepped up attacks on PCs running various versions of Windows on Friday, a day after Microsoft first disclosed the vulnerability.

The patch will address the vulnerability in Windows Animated Cursor Handling, a component of Windows, according to Microsoft.

Malicious Code

Redmond released a security advisory last week, warning customers that a vulnerability in Windows ANI files was allowing hackers to break into computers and install malicious software.

The files are used to change the mouse cursor into the familiar hourglass icon — or another animated option — while a program is busy.

Microsoft originally planned to release the update next week as part of its regular monthly release of security bulletins; however, the company became aware of the existence of a public attack utilizing the vulnerability and decided to act. Testing the patch was completed earlier than expected, said the company.

Zero Day

While the zero-day attack is designed to exploit PCs running Windows Vista, the mouse cursor vulnerability has also been found on Windows 2000 Service Pack 4, Windows XP Service Pack 2 and some versions of Windows Server 2003, according to the company.

Microsoft’s monitoring of attack data continues to indicate limited impact on Windows users, the company said. However, the firm is actively monitoring the situation to keep customers up to date.

Highly Critical

Security experts at McAfee spotted a post on a Chinese message board on Wednesday, which indicated that hackers were planning to exploit the vulnerability, Craig Schmugar, a virus researcher at McAfee Avert Labs, told TechNewsWorld.

McAfee has rated the exploit “highly critical” and suggests that users should download the patch as soon as Microsoft releases it, otherwise they could end up with a malicious program on their PC after a browsing the Web and not know it, Schmugar said.

The vulnerability does not suggest that Windows Vista has a fundamental security flaw, added Schmugar.

“These programs are designed by humans and there are going to be flaws and vulnerabilities,” he said. “[Vista] has additional mitigation factors some others, such as XP, do not.”

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels