Writing on the Security Response Centre blog, Microsoft's Christopher Budd claimed that the company was ‘aware of a code execution vulnerability within this control that can enable an attacker to run code as the logged-on user if they browse to a malicious site.'
The vulnerability would allow an attacker, who successfully exploited this vulnerability, to gain the same user rights as the local user. When using Internet Explorer, code execution is remote and may not require any user intervention.
The advisory claimed that the investigation has shown that there are no by-design uses for this ActiveX Control within Internet Explorer.
Budd said: “Therefore, we're recommending that all customers go ahead and implement the workaround outlined in the Security Advisory: setting all killbits associated with this particular control.
“While Windows Vista and Windows Server 2008 customers are not affected by this vulnerability, we are recommending that they also set these killbits as a defense-in-depth measure. Once that killbit is set, any attempt by malicious websites to exploit the vulnerability would not succeed.”
US-CERT encouraged users and administrators to review Microsoft Security Advisory 972890 and to implement the workaround listed in the advisory. This workaround will help mitigate the risks until a patch or update is released by the vendor.
Atif Mushtaq at the FireEye Malware Intelligence Lab claimed that in the coming days, more malware will be seen that pairs up with this exploit and that things will continue to get worse until Microsoft comes up with a patch. He also claimed that a huge spike of malware has already been seen since the exploit was made public.