Security hole in ActiveX control
Yet another error has surfaced in the XMLHTTP ActiveX control. Attackers could execute arbitrary code with the user's rights on affected Windows systems that have used Internet Explorer to visit a rigged website. The problem affects Microsoft's XML Core Services 4.0 (MSXML).
France's FrSIRT was able to reproduce the flaw on a fully patched version of Windows XP SP2 with MSXML 4.0, and is classifying the hole as critical. The flaw also affects Windows 2000 SP4 and Server 2003 with or without SP1.
Microsoft has released a security advisory and announced a security update. Until the latter is released, the best course of action is to turn off ActiveX. Microsoft did fail to clarify precisely which systems are affected, that is, that have installed version 4.0 of MSXML. A version list is available for those who want to be on the safe side.