Microsoft has issued a new security advisory for a critical security issue that could potentially enable an attacker to take control of a users PC by way of Internet Explorer (IE).
The flaw stems from an issue in the Microsoft Video ActiveX Control. Microsoft has noted in its advisory that it is currently aware of attacks related to this flaw. Microsoft offers a work-around in its advisory to let users disable the ActiveX Control in question. According to the advisory Microsoft is currently working on a security update to fix the flaw as well. In my view this is likely to be an out of band update, though seeing as patch Tuesday is tomorrow we could get early too.
Microsoft advisory notes that the update will be released, “…when it has
reached an appropriate level of quality for broad distribution.”
Aside from the fact that IE is at risk from a flaw, the interesting part of this flaw in my opinion, is that the function which this attack is abusing has no real use in IE in the first place.
“Our investigation has shown that there are no by-design uses for this
ActiveX Control in Internet Explorer which includes all of the Class
Identifiers within the msvidctl.dll that hosts this ActiveX Control,” Microsoft’s advisory states.