Is Microsoft moving in slow motion when it comes to patching security vulnerabilities? That seems the case with a recent zero-day vulnerability impacting Microsoft Windows Animated cursor handling. Windows 2000, Windows XP, Windows Server 2003 and Windows Vista are all affected by the critical flaw that allows for remote arbitrary code execution. According to Microsoft, the issue was initially reported by Determina before Christmas 2007.

"We were first made aware of the vulnerability in Windows Animated Cursor Handling on December 20, 2006 when it was responsibly reported to us by a security researcher at Determina. My colleague Adrian Stone took the report and immediately began an investigation, working with Determina on the issue. We have been working on this investigation since December to fully understand the issue and have been working to develop a comprehensive update as part of our standard MSRC process. Determina has been and continues to work with us responsibly on this issue, and we thank them for helping us to protect customers," revealed Christopher Budd, Security Program Manager with MSRC.

Since December 2006, Microsoft has been laboring to produce a patch addressing the Windows Animated cursor handling vulnerability. This is where the question at the introduction of this article comes into play? After over three months of being aware of a critical vulnerability affecting a range of products from the Windows platform, including Vista, Microsoft not only did not release any security updates in March, but it also doesn't have a clue when it will deliver a patch.

"Our teams are actively working on a security update for this issue and we currently plan to release it as part of our regular monthly update process. That said, we are actively monitoring this situation as part of our process and will always consider releasing an out of cycle update if we have a quality update available and customers are at serious risk: we have done this before and can do it here if appropriate. However, we always try to release updates as part of our regular monthly release cycle because customers have told us that it's easier for them to test and deploy updates when they're released as part of a predictable process," Budd added.

Microsoft's next monthly patch cycle is planned for April 10, 2007.