I was immediately intrigued yesterday, when Microsoft sent through a security alert about a vulnerability in the Windows Animated Cursor Handling component of Windows. My mind boggled—the immediate thought was one of the innocuous arrow cursor starting to take control, grabbing windows and throwing them unceremoniously to the bottom of the screen, biting chunks out of frames and generally wreaking havoc… perhaps even morphing into a nasty, warty anti-cursor or worse, a paperclip.

Sadly there is such a thing as too much imagination. The reality is that the vulnerability allows for web sites that host animated cursors to do the standard thing of exploiting coding holes in Internet Explorer, whereupon "successful exploitation allows execution of arbitrary code," according to Secunia. While seen as critical, this is by no means as interesting.

What is perhaps more interesting is the conversation over at Slashdot about the vulnerability. I might be reading them wrong, but while Microsoft has clearly been been remiss by causing the bug in the first place, it would appear that there are sufficient mechanisms in place to minimise the potential risks of damage—these include admin privileges, shadow copies, a new security sub system blocking API calls and so on.

Now, without starting to bang on about risk management again (its a bit of a habit), it does strike me that perhaps some people want to have their cake and eat it. Consider: downloading animated cursors from unknown Web sites in the first place, which could be seen as the virtual equivalent of hanging around in dodgy bars or buying door locks from the man on the market—while telling him your address.

From a risk management perspective, the message is simple—don't. If you do, you might well find that those clever hackers have found ways of breaking through the hundreds of man hours worth of code that have been implemented in Vista. This, like the reality of the exploit, may be quite a dull thing to say but as an ex-sysadmin I'm used to being a party pooper. Just as I'm equally sure that one day, the hackers will get bored of Windows and will turn their attention to OSX.

In either case, the message will be the same. Stupid things have consequences, and shiny objects shouldn't always be picked up.