Microsoft has released a critical software patch for Windows to address a vulnerability that could allow an attacker to execute remote code on another machine.
This vulnerability was privately reported to Microsoft and exists in Microsoft Agent. It handles certain specially crafted URLs. The vulnerability could allow an attacker to remotely execute code on the affected system. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Symantec Security Response rates the remote code execution vulnerability in Microsoft Agent ActiveX as critical, since ActiveX controls run on a significant number of systems. Consumers and enterprise users using Microsoft Windows 2000 are susceptible to exploits if they visit a malicious Web page. A successful exploit could allow an attacker to install malicious code of his or her choice, and could potentially allow the attacker to gain complete control of the affected system.
"Symantec has observed a significant increase in ActiveX vulnerabilities this year," said Kevin Hogan, senior manager at Symantec Security Response. "Due to the availability of public proof-of-concept code, we also think the MSN Messenger and Windows Live Messenger vulnerability is a high urgency issue."