Flaw in ActiveX control could allow remote attacks

Microsoft on Monday posted a security advisory warning that a reported vulnerability in Microsoft Video ActiveX Control could give an attacker the same user rights as the PC’s owner, allowing for remote code execution.

The vulnerability, which Microsoft says was privately reported, is possible because in Internet Explorer code execution is done remotely, and therefore doesn’t require user intervention.  The result is an attacker could exploit the vulnerability to deploy malware on the unsuspecting user’s PC.

The company says it knows of attempts to exploit this flaw. Microsoft is currently working on a security update for Windows that would fix the vulnerability, the security advisory says.

Microsoft recommends that Windows XP and Windows Server 2003 users remove support for the Microsoft Video ActiveX Control.  Although Windows Vista and Windows Server 2008 customers aren’t affected by the vulnerability, the company recommends they remove support for the ActiveX control as a “defense-in-depth” measure.

In addition, the company says that since the vulnerability could give an attacker the same user rights as the PC’s owner, users who configure their systems with fewer rights would suffer less from an attack than those who set their PCs with administrative user rights.

Do you tweet? Follow me on Twitter here.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon