Microsoft has issued a security advisory warning Windows XP users to take immediate steps to protect themselves from an ActiveX security vulnerability that’s already being exploited, particularly in Asia. The problem only impacts Windows XP—which, unfortunately, happens to be one of the most widely-used operating systems on the planet—and would let attackers run arbitrary code as if they were the currently logged-in user. Windows Vista and Windows Server 2008 are not impacted, nor is Windows 2000 SP4. Microsoft is working on a patch; in the meantime, Microsoft is urging users to disable the Microsoft Video ActiveX control from running in Internet Explorer.
The workaround sets a “kill bit” for Microsoft’s Video ActiveX control in the Windows Registry which will prevent Internet Explorer from loading the control. Although it doesn’t eliminate the vulnerability from the system, it does prevent malicious sites from being able to exploit the problem. Microsoft says there are no “by design” uses for the Video ActiveX control in Internet Explorer, so disabling the control shouldn’t have any significant ramifications for users. Microsoft is even recommending Windows Vista and Windows Server 2008 users set the kill bits just in case.
Microsoft has not given a date for when it expects a security patch to be available. The company’s next “Patch Tuesday” update is July 14; a fix might be included in that update, or could be issued separately.
The code for the ActiveX exploit has already been published on a number of Chinese sites.
