Security vendor eEye Digital Security has released an unofficial fix for an unpatched flaw in Microsoft’s Windows operating system that is being exploited by online criminals.
The unofficial temporary patch, fixes a bug in the way Windows processes Animated Cursor files, which are used to create cartoon-like cursors in Windows.
Several websites, including two hosted in China, are now serving attack code that exploits the bug. The flaw is particularly worrying because it also affects Microsoft's email clients.
In a blog post, Microsoft Security Response Centre programme manager Adrian Stone said Outlook Express users were vulnerable to the bug, even if they were reading email in plain text.
Microsoft advised http://www.microsoft.com/technet/security/advisory/935423.mspx Outlook users to read mail in plain text format, but said Outlook 2007 users would be protected even if they were not doing this.
Marc Maiffret, eEye’s chief technology officer said Microsoft should have caught the problem two years ago, when his company first reported the bug that was patched in the MS05-002 update.
"They fixed the bug we discovered back in '05, but during their standard bug report code audit, they missed an area... where identical code was used, with an identical vulnerability," he said. "It is hard to say how long people have been exploiting this in the wild due to the similar nature of the bugs."
Security researchers at McAfee first reported the new web-based attacks exploiting the flaw on Wednesday.
Microsoft – which generally recommends that users avoid third-party fixes for its products – has promised to fix the problem. But in the past, similar patches from eEye and other security experts have been downloaded by tens of thousands of Windows users, unwilling to wait for Microsoft's updates.
The software giant is due to release its next set of security patches on 10 April, but has not said whether the release will include a fix for the Animated Cursor problem.
Microsoft was not available for comment.