Microsoft Issues Video ActiveX Control Security Warning

REDMOND, Wash. — Microsoft is warning users of a security flaw found in Internet Explorer, exploited through Windows XP or Windows Server 2003 operating systems.

In a security advisory posted Monday, the computer giant said it is investigating a "privately reported" vulnerability in its Video ActiveX Control. An attacker could possibly exploit the security hole and gain the same user rights as the local user, Microsoft explained. When using Internet Explorer, code execution is remote and may not require any user intervention.

As the Washington Post reports, a link in e-mail spam or even a posting almost anywhere can lead a Web surfer to a site that's been hacked, which then opens up the security hole, allowing a hacker to "tunnel" into a system to remotely control the visiting computer.

Microsoft confirmed that such attacks have already occurred during what's known as the zero-day vulnerability window, and instances were also reported by various security firms.

According to the SANS Internet Storm Center, thousands of websites have been hacked, seeded with the malicious code and are now spring-loaded with malware that could hit anyone visiting those sites. Additionally, instructions for exploiting the vulnerability have been posted on many Chinese websites, SANS said.

In a press release, security firm Symantec said one of the sites delivering the malware is the official website for the Russian Embassy in Washington. The company said the flaw affects Windows XP users using IE 6 or 7, but IE 8 users are not vulnerable.

Anyone operating Windows XP and/or Windows Server 2003 is advised to remove support for the ActiveX Control within Internet Explorer using Class Identifiers listed in the Workaround section.

According to Microsoft, users of Windows Vista or Windows Server 2008 are not affected because the ability to pass data to the control within Internet Explorer has been restricted. Nonetheless, the company also recommends Windows Vista and Windows Server 2008 users remove support for the ActiveX Control within Internet Explorer using the same Class Identifiers as a defensive measure.

Users may prevent the Microsoft Video ActiveX Control from running in Internet Explorer, either manually using the instructions in the Workaround section or automatically using the solution found in this Microsoft Knowledge Base Article.

Disabling the ActiveX Control in IE does not impact application compatibility, the company said.

Microsoft is currently working to develop a security update patch for Windows to address the vulnerability and will release the update when it is ready for distribution.