14 DAY TRIAL // Proof of Concept code has been published for a Microsoft Windows MDAC ActiveX vulnerability affecting Windows 2000 Sp4, Windows XP SP2 and Windows Server 2003. The MDAC ActiveX Vulnerability was rated with a severity rating of Critical due to the fact that it allows for remote code execution. The original vulnerability has been disclosed back in July 29, 2006 in HD Moore's Month of Browser Bugs. However, Microsoft only issued a security patch in February 2007.
"Our scanners are now actively searching for any live sites that are attempting to exploit this vulnerability. This type of vulnerability has been very popular with malicious attacks in the past and we expect to see its usage increase substantially, now that exploit code is publicly available. On February 13, 2007, Microsoft released patch MS07-009 to address this vulnerability. We recommend that you apply this patch immediately, if you have not yet done so," revealed security company WebSense.
Although a patch from Microsoft is available addressing the MDAC ActiveX vulnerability, attackers will speculate unpatched operating systems. Using Internet Explorer as an attack vector, malicious software can be executed on a computer that is not up to date with the security patches delivered by Microsoft.
According to eEye Digital Security, the MDAC ActiveX vulnerability only impacts Internet Explorer 6. The latest version of Microsoft's browser, IE7 is not affected. "We've tested it against IE7 and haven't got it to work yet," explained Andre Protas, director of eEye's Preview research service.
Microsoft has not commented in any way the new turn of events, but since a security update is already in place and available for deployment it is not likely that the Redmond Company will take such a course of action.