Serious IE vulnerability discovered!

Vulnerability in Internet Explorer involving Microsoft Video ActiveX Control has been reported. The exploit can hijack a computer remotely by the victim simply visiting a compromised web site.

The Microsoft Video ActiveX Control connects DirectShow filters for video and is used in Windows Media Center. When the control runs in Internet Explorer, it can corrupt the system so that an attacker can run arbitrary code remotely without any user intervention. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user.

Microsoft advised Windows XP and Server 2003 customers to remove the support for this ActiveX Control within Internet Explorer using the solution found at http://support.microsoft.com/kb/972890.

Customers who are using Windows Vista or Windows Server 2008 are not affected by this vulnerability because the ability to pass data to this control within Internet Explorer has been restricted. But Microsoft also suggested to take the defense-in-depth measure for these users.

For the mean time, Microsoft is currently working to develop a security update for Windows to address this vulnerability and will release the update when it has reached an appropriate level of quality for customer distribution.

And while waiting for this security update, I suggest to use other browser for the meantime. (but I guest I don’t have to.)