Microsoft has released an out-of-sequence patch (http://www.microsoft.com/technet/security/Bulletin/MS07-017.mspx) designed to address a Windows vulnerability involving the handling of cursor animation files, as well as a number of other flaws.

The prime focus of the update is a stack buffer overflow flaw involving Windows' handling of animated cursor (.ANI) files. The flaw (http://www.kb.cert.org/vuls/id/191609), first reported last week, creates a means for hackers to inject hostile code into unpatched systems and has become the target of widespread hacking attacks. Internet Explorer can process ANI files in HTML documents, so web pages and HTML email messages can also be vectors for the vulnerability.

Microsoft responded to reports of widespread abuse of the flaw by pushing out an emergency fix on Tuesday, 3 April, a week before its regular Patch Tuesday update. The patch also addresses a number of vulnerabilities, involving privilege escalation, denial of service and remote code execution flaw.

Early reports suggest a number of glitches with the update. In particular, the patch can conflict with systems running Realtek Audio cards, prompting Microsoft to release a hotfix (http://support.microsoft.com/kb/935448). ®

Related stories

Cisco hops onto patching treadmill (6 March 2008)
http://www.channelregister.co.uk/2008/03/06/cisco_patch_cycle/
MS Patch Tuesday to include trio of 'critical' fixes (5 July 2007)
http://www.channelregister.co.uk/2007/07/05/microsoft_july_patch_tuesday/
Vista and IE 7 to receive 'critical' fixes on Patch Tuesday (7 June 2007)
http://www.channelregister.co.uk/2007/06/07/microsoft_june_patch_tuesday/
Critical DNS fix stars in upcoming Patch Tuesday (4 May 2007)
http://www.channelregister.co.uk/2007/05/04/ms_patch_tuesday_pre-alert/
A Mac gets whacked, a second survives (23 April 2007)
http://www.theregister.co.uk/2007/04/23/mac_vuln_contest/
Five critical reasons to update Windows today (11 April 2007)
http://www.channelregister.co.uk/2007/04/11/ms_april_patch_tuesday/
MS cursor patch fix pushes into Patch Tuesday litter (10 April 2007)
http://www.channelregister.co.uk/2007/04/10/ms_april_patch_tuesday_pre-alert/
ANI takers for Asus website virus? (6 April 2007)
http://www.channelregister.co.uk/2007/04/06/asus_website_viruses/
Britney fears used as ANI exploit lure (5 April 2007)
http://www.channelregister.co.uk/2007/04/05/britney_ani_malware_lure/
MS plans emergency update to fix blinking cursor bug (2 April 2007)
http://www.channelregister.co.uk/2007/04/02/ms_cursor_bug_fix/
Exploit for latest Windows vuln already animated (30 March 2007)
http://www.channelregister.co.uk/2007/03/30/animated_cursor_vuln/
The rise of zero-day patches (2 March 2007)
http://www.channelregister.co.uk/2007/03/02/zero-day_patches_interviews/
IE ripe for attack, despite Microsoft claims (1 February 2007)
http://www.channelregister.co.uk/2007/02/01/windows_vista_security/
Another day, another zero-day MS exploit (28 September 2006)
http://www.channelregister.co.uk/2006/09/28/0-day_powerpoint_threat/
MS mulls emergency IE fix (26 September 2006)
http://www.channelregister.co.uk/2006/09/26/ms_ie_fix_plan/
Microsoft patches critical flaws (12 January 2005)
http://www.theregister.co.uk/2005/01/12/ms_patch_trio/