Press Releases

Browse our press release archive

30 Mar 2007

Malicious animated cursors exploit unpatched Microsoft vulnerability

Windows Vista users not immune from security hole

Microsoft Windows has a vulnerability in its handling of animated cursors.

Sophos, a world leader in IT security and control, has warned computer users of a zero day vulnerability in the way that Microsoft Windows handles animated cursors (.ANI files). Multiple versions of Microsoft Windows are affected by the unpatched vulnerability, including Windows Vista.

According to an advisory by Microsoft, Windows 2000, XP, Server 2003 and Vista are said to be affected by the flaw, which has been exploited by hackers in targeted attacks.

"Animated cursors are typically used by website developers to enrich users' online experiences, but a twirling hourglass is hardly worth the risk of a malicious attack. Sadly users don't get a choice as to whether a website attempts to animate their cursor or not, and hackers could use the vulnerability to run malware," said Graham Cluley, senior technology consultant for Sophos. "Microsoft will be scrabbling to fix this vulnerability at the earliest possible opportunity, as hackers are already exploiting the security loophole in their attempt to infect innocent computer users."

Sophos researchers have analyzed malware which exploits the Microsoft vulnerability, issuing protection against the Troj/Animoo-U Trojan horse at 23:46 GMT on 29 March 2007.

Microsoft has published an advisory on its website which discusses the vulnerability.

Sophos experts note that this is not the first occasion when Microsoft products have been exploited through malware which takes advantage of security vulnerabilities in the way Windows handles animated cursors and icons.

In January 2005, Microsoft issued Security Bulletin MS05-002 which detailed a critical security vulnerability in the Windows implementation of animated cursors which allowed hackers to remotely execute code, and advised customers to apply the protection update immediately.

"Unfortunately Microsoft's patch from early 2005 does not protect against this latest vulnerability," continued Cluley.

Sophos continues to recommend that all organizations protect their email with an integrated security solution to thwart spam, spyware and malware threats.

About Sophos

More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing complete security solutions that are simple to deploy, manage, and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, mobile and network security solutions backed by SophosLabs - a global network of threat intelligence centers.

Sophos is headquartered in Boston, US and Oxford, UK. More information is available at