Microsoft Corp. released an emergency security patch Tuesday to plug a hole in several versions of Windows — including Vista, which the software maker has touted as its most secure operating system ever.
Microsoft was so worried about the hole — which allowed hackers to break into personal computers and install malicious software — that it pushed out the critical security fix a week ahead of a regularly scheduled update.
The Redmond-based software company told customers last Thursday about a vulnerability in ".ani" files, which are used to change the cursor into an hourglass while a program works, or into a dancing animal or other animation on specially designed Web sites. Security experts said the hole was actively being exploited by hackers to install keystroke-logging programs.
Ken Dunham, director of the rapid response team at iDefense, the research division of VeriSign Inc., said a group of Chinese hackers was using the security hole to steal and sell log-ins to the popular "World of Warcraft" multiplayer computer game.
Microsoft said it has known about the vulnerability since December.
Users surfing the Web were the first targets, security experts said.
The Microsoft patch "will be a significant milestone in this attack," Dunham said. However, as businesses take time to test and implement the patch, and consumers delay downloading it, hackers will still be at work.
Customers whose Windows computers aren't set to automatically install critical patches can download the security update, MS07-017, from Microsoft's Web site.