Code for exploiting a vulnerability in Microsoft's scripting control for handling multimedia animation in Web pages was released on Thursday, the software giant warned in an advisory.
The latest exploit code improves upon a previous exploit for the flaw released at the end of August, which only reliably crashed vulnerable systems. The exploit uses an ActiveX vulnerability in Microsoft's DirectAnimation functionality to run code with the user's rights. In its advisory posted on Thursday, Microsoft said it was investigating the issue.
"We are also aware of proof of concept code published publicly but we are not aware of any attack attempting to use the reported vulnerability or of customer impact at this time," the software giant stated in the advisory.
ActiveX is a component of Microsoft's Internet software that facilitates data exchange and Web interactivity, but that also has caused many security problems for the software giant in the past. In July, HD Moore claimed to have found nearly 200 flaws in the ActiveX programs shipped in the default Windows installation and commonly used code. ActiveX vulnerabilities also made up a significant number of flaws in the Internet Explorer vulnerabilities publicized by Moore throughout July during his browser bug-a-day campaign.
Microsoft has made some fundamental changes in how Internet Explorer and Windows deals with ActiveX, with more to come in Vista and Internet Explorer 7, to further secure consumers' systems.
Posted by: Robert Lemos