Microsoft has warned of a zero-day ActiveX vulnerability that is being exploited in limited attacks against Windows XP and Server 2003 users.
The bug, in a Microsoft Video ActiveX control, can be leveraged to run code on users' PCs if they are duped into visiting a malicious website through Internet Explorer, Chistopher Budd, a security program manager at Microsoft, said in a blog post.
"In a web-based attack scenario, an attacker could host a website that contains a web page that is used to exploit this vulnerability," according to a Microsoft advisory. "In addition, compromised websites and websites that host user-provided content or advertisements could contain specially-crafted content that could expoit this vulnerability."
He said the ActiveX control in question has "no by-design uses" so, as users await a patch, they should set the kill bit for it. Customers running Windows Vista and Server 2008 are not affected by the vulnerability, but Budd recommended that they set the kill bit as well for additional protection.
"Once that kill bit is set, any attempt by malicious websites to exploit the vulnerability would not succeed," Budd wrote.
Researchers at Symantec said that the hole is mostly being exploited in Asia, particularly China, where thousands of hacked websites have been seeded with attack code.
According to a post on the security maker's security blog, the vulnerability is part of the "msvidctl.dll" library and can be exploited by inputting a malicious file to the "data" parameter. In addition to setting the kill bit, users seeking protection also can disable JavaScript in the browser and avoid visiting untrusted sites, Symantec said.
See original article on scmagazineus.com