14 DAY TRIAL // French Security Incident Response Team spotted and reported that an attacker could seize control of a vulnerable system by exploiting the bug in an alert on Wednesday.
By installing malicious code in a Web page that exploits a memory corruption error in a file that ships with Microsoft Office 2002 and Microsoft Visual Studio, a remote attacker can easily take control of a user's machine over the Internet.
The system flow that allows the intrusion involves a COM object, the Microsoft DDS Library Shape Control, provided by the MSDDS.DLL that is installed with Microsoft Office and Visual Studio.NET. Internet Explorer will run any COM object that is referenced by a Web page and COM objects that are not ActiveX controls such as the Microsoft DDS Library Shape Control can deliver unpleasant surprises.
CERT analysis: viewing specially crafted HTML document allows the attacker to exploit the flaw into executing arbitrary codes on users' machines or even cause IE to crash.
Secunia and FrSIRT rated the vulnerability "critical" or "highly critical". The SANS Internet Storm Center warned on Thursday : "We feel widespread malicious use of this vulnerability is imminent." And they really mean that, because the exploit code has been available on Internet since Wednesday !!
What does Microsoft have to say about this situation? They say we should set some "kill bits" on individual ActiveX/COM objects as an ultimate fix for the issue.
Oh, and they also say that it wasn't a very nice thing what FrSIRT did. Indeed, who do they think they are, those French guys, to go around and warn people about their computer being in danger because another Microsoft something doesn't run properly??!!