The "object type" vulnerability, which was first acknowledged publicly by Microsoft on 20 August this year, allows an attacker to take control of a system by embedding malicious code in a Web-page. If the Web page is viewed by an Internet Explorer browser -- even a fully patched browser -- the malicious code embedded in the Web-page will execute, experts say. Despite Microsoft acknowledging the patch doesn't work, it evidently has not yet issued a working fix for the vulnerability.
US-based information security company iDefense released a statement over the weekend claiming the vulnerability is being actively exploited "in the wild".
"Whether you are patched or not, attackers can execute code on your computer at will when you visit a hostile website when using vulnerable versions of Internet Explorer," the statement read.
The relevant Microsoft bulletin was issued on 20 August and last updated on 8 September.
"Subsequent to issuing this security bulletin, Microsoft received reports that the patch provided with this bulletin does not properly correct the Object Type Vulnerability," Microsoft's security bulletin reads. "Microsoft is investigating these reports and will re-issue this bulletin with an updated patch that corrects these problems."
The managing director of mail-filtering software company Clearswift, Chy Chuawiwat, told ZDNet Australia the vulnerability is serious. "It's definitely there and it continues to be easy to exploit," he said. "It could run anything and the users wouldn't know."
Chuawiwat suggests users disable ActiveX controls and plug-ins until Microsoft issues a patch that fixes the vulnerability. "For most enterprises there's no need for ActiveX so it should be disabled," he said. "Our standard policy would remove executables including ActiveX."
Users can disable ActiveX controls in their Internet Explorer settings by clicking Tools, Internet Options, Security, and then modifying the settings for the "Internet Zone". Ironically, in order to patch the system through Microsoft's WindowsUpdate Web site when a fix becomes available, users must allow ActiveX controls and plug-ins to run in the Internet zone.
Talkback
I have had ActiveX controls disabled for the last 3 years or so, and I just want to say that this is one of the most irritating things about Microsoft, and Internet Explorer. There is no way to get the browser to quit reminding you that "pages may not display correctly" and requiring you to click on the "OK" button whenever a page with ActiveX is visited.
I believe this is part of Microsoft's campaign to wear down users, so that in order to get rid of the irritation they will finally start allowing ActiveX. With all of the changes to Internet Explorer over the years, Microsoft has never allowed the option to "quit displaying this message", as is done with many other warnings. ActiveX is evidently something they are pushing, and they will keep it in my face whether I like it or not.
The next time you do a story about this, can you please ask Microsoft why they won't let users who have disabled ActiveX to disable the warning message as well?
when, oh when, will bill learn? to keep the public wanting more of your product, you have to give them a sense of security. if you're not going to let people 'see' the code so they can at least fix it, make sure you have the manpower to fix the problems that arise!
I am just sick of microsoft screwing up with my computer. If most of my users did not use Windows, I will never touch the thing. For my part I just use Mozilla, internet explorer has always been to buggy for me.
Buy a Mac!