Microsoft has issued a warning of hacker attacks that attempt
to exploit a vulnerability in the videoActiveX Controlwhen used by Internet Explorer in
Windows XP and Windows Server 2003.
"An attacker who successfully exploited this vulnerability could
gain the same user rights as the local user," Microsoft warned in a
security advisory notice.
This means that if a user is logged on with administrative user
rights, an attacker could install programs, create new accounts and
view, change or delete data.
"Users whose accounts are configured to have fewer user rights
on the system could be less impacted than users who operate with
administrative user rights," the advisory said.
Microsoft is working on a patch, but is advising all Windows
users to take immediate steps to protect their systems from
attack.
These include removing support for the ActiveX Control within
Internet Explorer and changing Windows system settings to prevent
the control running in the browser.
Guides on how to do this are contained in the workaround section
of the
security advisory and
Microsoft's
Knowledge Base article 240797.
Disabling the control will have no affect on browser performance
because there are no by-design uses for this ActiveX Control in
Internet Explorer, the advisory said.
Microsoft said it will release a security update to fix the
vulnerability "when it has reached an appropriate level of quality"
for broad distribution.