However, the good news might be that the buggy ActiveX Control doesn't affect any major functionality in IE, which allows the control to be disabled in the Web browser without any significant impact to the user.
"Our investigation has shown that there are no by-design uses for this ActiveX Control in Internet Explorer which includes all of the Class Identifiers within the msvidctl.dll that hosts this ActiveX Control," Microsoft said in its advisory.
At worst, the ActiveX Control bug, which affects several versions of Windows, including Windows XP and Windows Server 2003, allows attackers to infiltrate a user's system to download malicious code, typically information-stealing Trojans and keyloggers. Attackers often distribute the malware via compromised legitimate Web sites or by enticing a user to click on a link directing them to a malicious Web site on IE, usually through some kind of social engineering scheme.
So far the attacks don't appear to affect Windows Vista or Windows Server 2008, due to the fact that both systems restrict data flowing to ActiveX within IE, Microsoft said.
Marc Fossi, manager of research development for Symantec Security Response, said that attacks exploiting the ActiveX flaw were found on some Chinese Web sites as well as a Russian Embassy site in Washington, D.C, but added that the security community didn't yet know the extent of the attacks globally.
Fossi said there was little to distinguish this ActiveX flaw from others exploiting Web browser vulnerabilities.
"We see exploits that serve vulnerabilities that are exploited through IE and plug-ins all the time and this isn't really any different than the rest," Fossi said. "People shouldn't be going into panic mode."
Microsoft said in its advisory that it was working on a fix for the bug, which will either be released in its monthly Patch Tuesday security bulletin or separately as an emergency out-of-band update.
Until that happens, there are some workarounds. Microsoft recommended in its advisory that users disable support for ActiveX Control in IE for Windows XP and Windows Server 2003. Microsoft also recommends that users disable ActiveX Control in Vista and Server 2008 as a "defense in depth" measure, despite the fact that they are unaffected by the flaw.
In addition to disabling the ActiveX Control in IE, Fossi recommended that users also make it a practice to log into their computers with minimal privileges. Users who log in as an administrator run the risk of exposing the rest of the network to any kind of code executed on the system, he said.
"Use a lower privileged account to do your day-to-day stuff," Fossi said. ''If you're running as an administrator, potentially anything that executes on the computer as a result could affect all users."
- Juniper Honors 12 Americas Partners
- Facebook And Four More Web Sites We Love To Hate
- Cisco Honors Top Partners During 2010 Partner Summit
- HP Salutes Top Partners At APC 2010 Award Show
- Upclose And Personal With AMD And friends
- Will Oracle's Phillips' Affair Revelation Be A Distraction?
- Apple, Microsoft Unlikely Allies Against Google
- HP-Microsoft Cloud Partnership Needs To Show Us The Goods
- Blog: It's Time For A Cybercrime Public Service Announcement
- Nortel Sell-Off Continues: Ethernet Business To Ciena?
- Want To Deploy Exchange 2007 SP2 In A Server 2008 R2 Domain? Sorry
- Apple Improves iTunes 9 With Syncing, Visual Enhancements
- Oracle Ad Refutes Sun Hardware Fears
- U.S. Copyright Chief Rips Google Book Deal In Testimony
- Apple Slashes iPod Price Tags
- Price Is Right? Asus To Launch Low-Cost E-Reader
- Microsoft Xbox 360 Consoles Fail More Often Than Wii, PS3
- Privacy Group To Congress: Stop Online Advertisers In Their Tracks
- Microsoft, Intel Tout Their Collaboration On Windows 7
- Tech Data Adds Integration Services With New Center
| • |
| • |
| • |
| • |
| • |
| • |
| • |
|
|
