Microsoft broke with its monthly patch cycle Tuesday to fix the bug, which cybercrooks had been using since last week to attack Windows PCs. The flaw relates to the way Windows handles animated cursors and could let an attacker commandeer a PC when the user views a malicious Web site or e-mail message.
The vulnerability could be exploited through any Windows application that relies on the operating system to handle animated cursor files. This includes Mozilla's Firefox Web browser, which according to some security experts exposes Windows Vista users to greater risk than Internet Explorer 7 because the latest Microsoft browser has additional security features.
"The vulnerability is caused by a Windows error…it can be exploited through both Firefox and Internet Explorer," Mike Schroepfer, vice president of engineering at Mozilla, said in a statement. "We are investigating issuing a workaround within Firefox in an upcoming security release." Mozilla coordinates Firefox development.
The Firefox workaround could be welcome for those users who, for whatever reason, don't install Microsoft's fix. Some compatibility problems with the Microsoft update have been reported. "Microsoft has issued a patch to fix Windows and we encourage all Windows users to apply this update immediately," Schroepfer said.
Security experts at Determina, which reported the animated cursor flaw to Microsoft, have published a video that shows how a Vista PC can be compromised by exploiting the flaw and how Firefox users are at a higher risk than IE 7 users.
