Microsoft warns of 'critical' Internet Explorer flaw

ActiveX vulnerability could allow remote code execution

Microsoft has issued a warning about an unpatched vulnerability in Internet Explorer that could allow an attacker to take control of a system. 

The vulnerability affects the ActiveX component in Internet Explorer versions 5.01 and 6.0.

Microsoft confirmed that proof-of-concept attack code has been posted on the web, but claimed that it is not aware of any attacks actively exploiting the vulnerability.

Security website Secunia rated the vulnerability 'extremely critical', its most severe security ranking. 

The security firm posted an advisory on its site pinpointing the vulnerability to a memory corruption error in AcvtiveX's Microsoft Multimedia Controls. Secunia advised users to activate DirectX only when visiting trusted sites.

The SANS Internet Storm Center suggested that users could work around the vulnerability by modifying the daxctle.ocx file, or by setting Internet Explorer to prompt the user before executing ActiveX. 

The Outlook family of programs could be vulnerable as well, but SANS noted that the program's default settings typically mitigate much of the potential risk.

The discovery of this latest Internet Explorer vulnerability comes just three days after Microsoft's monthly patch Tuesday release addressed vulnerabilities in Windows XP and Publisher.

Microsoft is investigating the vulnerability reports but is unable to say when a patch will be released.