News

Microsoft Plans Out-of-Cycle Patch for Zero-Day Flaw

We still don't know all that much about the scope of the vulnerability in Microsoft's Windows Animated Cursor handling implementation, but -- based on Redmond's responsiveness thus far -- it seems like a doozy.

Microsoft has thrice updated its original security bulletin first released Thursday, and researchers at the Microsoft Security Response Center (MSRC) have updated the MSRC blog on several occasions, too.

The company now plans to release an out-of-cycle patch for the flaw tomorrow, although "it’s possible that we will find an issue that will force us to delay the release," wrote MSRC researcher Christopher Budd in a blog post yesterday.

The MSRC on Thursday confirmed the existence of "very limited attacks." By Saturday, however, Budd acknowledged that the number of attacks had escalated.

"From our ongoing monitoring of the situation, we can say that over this weekend attacks against this vulnerability have increased somewhat. Additionally, we are aware of public disclosure of proof-of-concept code," Budd wrote. The vulnerability affects all versions of Windows -- including Windows Vista, Microsoft confirms.

Redmond's regular Patch Tuesday festivities are scheduled for April 10. A number of factors -- escalated attacks, proof-of-concept code -- prompted Microsoft to release an out-of-order update. There are other concerns, too: The Associated Press reports, via security researcher McAfee, that a posting on a Chinese hacking forum indicates that additional hackers plan to start exploiting the vulnerability, too.

Elsewhere, the AP cites speculation, attributed to researchers at VeriSign Inc.'s Defense labs, that Chinese hackers plan to use the vulnerability to steal (and subsequently sell) information pertaining to the World of WarCraft video game.

Microsoft's patch, should it appear tomorrow, won't be any rush job, Budd promised. "I'm sure one question in people's minds is how we're able to release an update for this issue so quickly," he wrote. "[T]his issue was first brought to us in late December 2006 and we've been working on our investigation and a security update since then. This update was previously scheduled for release as part of the April monthly release [next week]. Due to the increased risk to customers from these latest attacks, we were able to expedite our testing to ensure an update is ready for broad distribution sooner than April 10."

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.

Featured

  • Report: Cost, Sustainability Drive DaaS Adoption Beyond Remote Work

    Gartner's 2025 Magic Quadrant for Desktop as a Service reveals that while secure remote access remains a key driver of DaaS adoption, a growing number of deployments now focus on broader efficiency goals.

  • Windows 365 Reserve, Microsoft's Cloud PC Rental Service, Hits Preview

    Microsoft has launched a limited public preview of its new "Windows 365 Reserve" service, which lets organizations rent cloud PC instances in the event their Windows devices are stolen, lost or damaged.

  • Hands-On AI Skills Now Outshine Certs in Salary Stakes

    For AI-related roles, employers are prioritizing verifiable, hands-on abilities over framed certificates -- and they're paying a premium for it.

  • Roadblocks in Enterprise AI: Data and Skills Shortfalls Could Cost Millions

    Businesses risk losing up to $87 million a year if they fail to catch up with AI innovation, according to the Couchbase FY 2026 CIO AI Survey released this month.