Microsoft has released Security Advisory (972890) to describe attacks on a vulnerability in the Microsoft Video ActiveX control. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. When using Internet Explorer, code execution is remote and may not require any user intervention. UPDATE: Microsoft has released a cumulative security update of ActiveX Kill Bits (MS09-032). Please see Microsoft Security Bulletin MS09-032 - Critical for more information about the update. LSU computers that are part of Active Directory should receive this update automatically.
The most effective workaround for this vulnerability is to set kill bits for the Microsoft Video ActiveX control, as outlined in the documents noted above. Other workarounds include disabling ActiveX, as specified in the Securing Your Web Browser document, and upgrading to Internet Explorer 7 or later, which can help mitigate the vulnerability with its ActiveX opt-in feature. Users who are using Windows Vista or Windows Server 2008 are not affected because the ability to pass data to this control within Internet Explorer has been restricted.