With online criminals exploiting an unpatched flaw in Windows, security vendor eEye Digital Security has come forward with an unofficial fix for the problem.The unofficial temporary patch, published early Friday, fixes a bug in the way Windows processes Animated Cursor files, which are used to create cartoon-like cursors in Windows. Security researchers at McAfee first reported the bug on Wednesday evening, saying that it has been used in Web-based attacks.Microsoft has said that it will eventually fix the problem, and it generally recommends that users avoid this type of third-party fix for its products. But in the past, similar patches from eEye and others have been downloaded by tens of thousands of Windows users who were unwilling to wait for Microsoft’s updates.Microsoft’s next set of security patches is due April 10, but the software giant has not said whether that release will include a fix for the Animated Cursor problem. Security vendor Determina said it informed Microsoft of the problem in December. “Microsoft fixed a closely related vulnerability with their MS05-002 security update, but their fix was incomplete,” Determina warned on its website.Several websites, including two hosted in China, are now serving attack code that exploits the bug, but this flaw is particularly worrisome because it also affects Microsoft’s e-mail clients. In a blog posting on Thursday, Microsoft Security Response Center Program Manager Adrian Stone said that Outlook Express users are vulnerable to the bug, even if they are reading their e-mail in plain text.Microsoft advises Outlook users to read mail in plain text format, but says that Outlook 2007 users are protected even if they are not doing this.According to eEye Chief Technology Officer Marc Maiffret, Microsoft should have caught the problem two years ago, when his company first reported the bug that was patched in the MS05-002 update. “They fixed the bug we discovered back in ’05, but during their standard bug report code audit, they missed an area…where identical code was used, with an identical vulnerability,” he said via instant message. “It is hard to say how long people have been exploiting this in the wild due to the similar nature of the bugs.”Microsoft representatives could not immediately be reached for comment. -Robert McMillan, IDG News Service Related content news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry news UK data regulator warns that data breaches put abuse victims’ lives at risk The UK Information Commissioner’s Office has reprimanded seven organizations in the past 14 months for data breaches affecting victims of domestic abuse. By Michael Hill Sep 28, 2023 3 mins Electronic Health Records Data Breach Government news EchoMark releases watermarking solution to secure private communications, detect insider threats Enterprise-grade software embeds AI-driven, forensic watermarking in emails and documents to pinpoint potential insider risks By Michael Hill Sep 28, 2023 4 mins Communications Security Threat and Vulnerability Management Security Software news SpecterOps to use in-house approximation to test for global attack variations The new offering uses atomic tests and in-house approximation in purple team assessment to test all known techniques of an attack. By Shweta Sharma Sep 28, 2023 3 mins Penetration Testing Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe