Microsoft released a rare warning for a "zero-day" vulnerability in an ActiveX control running on Windows XP or Server 2003 that is being exploited by hackers. The company doesn't have a patch ready to fix the issue yet, but because the vulnerability is being actively exploited, Microsoft is alerting customers and providing a temporary workaround.
"Microsoft issued Security Advisory 972890 to address a new vulnerability in a Microsoft Video ActiveX Control affecting Windows XP and Windows Server 2003 that could allow remote code execution if a user browses to a specially-crafted Web page," a Microsoft representative told me. "We are aware of limited, active attacks that exploit this vulnerability."
"Our investigation has shown that there are no by-design uses for this ActiveX Control within Internet Explorer," the representative continued. "Therefore, we recommend that all customers implement the workarounds outlined in the Security Advisory. While Windows Vista and Windows Server 2008 customers are not affected by this vulnerability, we recommend that they also implement the workarounds as a defense-in-depth measure."
Microsoft includes a simple "Fix it for me" link in its Security Advisory that will automatically implement the workaround on affected systems