Redmond software giant Microsoft has decided to fast-track a patch a security loophole which lets Windows PCs be hijacked using a flaw in the way the operating system handled animated cursor files. Microsoft usually issues security patches once a month, but the seriousness of the vulnerability—and a growing number of known exploits “in the wild” as well as proof-of-concept code—have prompted the company to get the animated cursor patch out the door faster.
The flaw impacts Windows Vista, XP, 2000, and Windows Server 2003; vulnerable PCs can be attacked by viewing a Web page designed to exploit the problem or by viewing a specially-crafted email message or attachment which exploits the flaw.
“Due to the increased risk to customers from these latest attacks, we were able to expedite our testing to ensure an update is ready for broad distribution sooner than April 10,” wrote Microsoft’s Christopher Budd in the company’s official security blog. April 10 would be the next regularly scheduled security update; instead, users will see MIcrosoft’s patch for the problem appear via Windows automatic update features on Tuesday, April 3. A downloadable version should also be available from Microsoft.
Microsoft was originally notified about the flaw in December 2006, but the problem only popped into mainstream industry consciousness last week as security firms raised warned attackers could use the exploit on malicious Web sites to silently take over unprotected Windows PCs. Security experts now warn that more than 100 Web sites are already serving pages designed to exploit the flaw, and Symantec reports a new worm based on the problem has already begun circulating in China.
