Microsoft issued a patch Sunday for a vulnerability that affects several versions of the Windows operating system, including the newly released Vista, and has been employed in “malicious and criminal attacks on computer users.”
In a security advisory issued Saturday, the company described the hole “as a vulnerability in the way Microsoft Windows handles animated cursor (.ani) files. For this attack to be carried out, a user must either visit a Web site that contains a Web page that is used to exploit the vulnerability or view a specially crafted e-mail message or email attachment sent to them by an attacker.”
The company had planned to issue the patch, known as MS07-017, with its regular monthly security update on April 10. “However, Microsoft is aware of the existence of a public attack utilizing the vulnerability,” a spokesman said in an email. “Since testing has been completed earlier than anticipated, Microsoft has released the update ahead of schedule to help protect customers.”
The attacks and impacts to computer users thus far have been “limited,” according to the spokesman.
Updates will be pushed out automatically to Windows users who have the Automatic Updates feature turned on. The patch can be downloaded at Microsoft’s Windows Update.
The SANS Internet Storm Center has more details and links to security vendors’ accounts of the problem.