Microsoft Warns Of 'Browse-And-Get-Owned' Attack

Attacks have been reported that attempt to exploit an unpatched vulnerability in Microsoft's Video ActiveX Control.

Microsoft on Monday issued a security advisory about a zero-day vulnerability in the Microsoft Video ActiveX Control. The flaw could allow a remote unauthenticated attacker to execute malicious code on computers running Windows XP and Windows 2003 Server.

"A browse-and-get-owned attack vector exists," acknowledged Microsoft security engineer Chengyun Chu on the company's Security Research & Defense blog. "A user needs to be lured to navigate to a malicious Web site or a compromised legitimate Web site to be affected. No further user interaction is needed."

The specific vulnerable file is Microsoft's MPEG2TuneRequest ActiveX Control Object. The company recommends setting the kill-bit on this ActiveX object as a workaround until a patch is released.

Microsoft provides a link on its Security Research & Defense blog that will disable the vulnerable ActiveX control.