Widespread exploitation of an unpatched Windows vulnerability involving cursor animation files over the weekend have prompted Microsoft to announce plans to release an out-of-sequence patch on Tuesday.

A stack buffer overflow flaw in Windows' handling of animated cursor (.ANI) files, first reported last week, allows hackers to inject hostile code into unpatched systems. Internet Explorer can process ANI files in HTML documents, so web pages and HTML email messages can also be vectors for the vulnerability.

Microsoft responded to reports of widespread abuse by pushing out an emergency fix, to be released on Tuesday, 3 April, a week before its regular Patch Tuesday update.

A posting on Microsoft's Security Response Centre blog reports that Microsoft's security gnomes have been working round the clock to produce and test a fix and explains the rationale for Redmond's unusual (but far from unprecedented) decision to publish an out-of-sequence fix. ®

Related stories

• Unofficial fix brings temporary relief for critical Adobe vuln (15 September 2010)
• Zero-day bug hangs over Oracle database (9 November 2007)
• MS Patch Tuesday to include trio of 'critical' fixes (5 July 2007)
• Vista and IE 7 to receive 'critical' fixes on Patch Tuesday (7 June 2007)
• Updated Critical DNS fix stars in upcoming Patch Tuesday (4 May 2007)
• ANI takers for Asus website virus? (6 April 2007)
• MS releases emergency cursor bug fix (4 April 2007)
• Exploit for latest Windows vuln already animated (30 March 2007)
• Interview The rise of zero-day patches (2 March 2007)
• IE ripe for attack, despite Microsoft claims (1 February 2007)
• Vista raises the bar for flaw finders (31 January 2007)
• Another day, another zero-day MS exploit (28 September 2006)
• MS mulls emergency IE fix (26 September 2006)