We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

eEye fix released for Windows zero-day flaw

Unofficial patch for critical Vista, XP vulnerability

Security vendor eEye Digital Security has released an unofficial fix for the unpatched flaw in Windows, currently being exploited by online criminals.

Published this morning, the unofficial temporary patch fixes a bug in the way Windows processes Animated Cursor files, which are used to create cartoon-like cursors in Windows.

McAfee security researchers reported the bug on Wednesday evening, saying that it had been used in web-based attacks.

More Windows security news, click here

Microsoft generally recommends that users avoid this type of third-party fix for its products. It has said that it will eventually fix the problem. But in the past, similar patches have been downloaded by thousands of Windows users, unwilling to wait for Microsoft's updates.

Microsoft's next set of security patches are due on 10 April, but the software giant hasn't revealed whether that release will include a fix for the Animated Cursor problem.

Security vendor Determina said it informed Microsoft of the problem in December. "Microsoft fixed a closely related vulnerability with their MS05-002 security update, but their fix was incomplete," Determina warned.

Several websites, including two hosted in China, are now serving attack code that exploits the bug, but this flaw is particularly worrisome because it also affects Microsoft's email clients.

In a blog posting on Thursday, Microsoft Security Response Center Program Manager Adrian Stone said that Outlook Express users are vulnerable to the bug, even if they are reading their email in plain text.

Microsoft advises Outlook users to read mail in plain text format, but says that Outlook 2007 users are protected even if they're not doing this.

According to eEye Chief Technology Officer Marc Maiffret, Microsoft should have caught the problem two years ago, when his company first reported the bug that was patched in the MS05-002 update.

"They fixed the bug we discovered back in 2005, but during their standard bug report code audit, they missed an area... where identical code was used, with an identical vulnerability," he said via instant message. "It is hard to say how long people have been exploiting this in the wild due to the similar nature of the bugs."

Microsoft representatives could not immediately be reached for comment.


IDG UK Sites

iPhone 6 vs Samsung Galaxy S5 comparison review: Apple takes on Samsung once again in smartphone...

IDG UK Sites

Just another opinion about Apple's new iPhone

IDG UK Sites

Intel Xeon E5 v3 Haswell processors review: we check out the fastest chips on the planet

IDG UK Sites

Apple Watch hands-on review | Apple Watch design, spec, features & UK pricing