Microsoft warns of attacks on new ActiveX hole

IE users warned about new ActiveX vulnerability, affecting Office XP, 2003, and ISA Server 2004 and 2006, that could allow an attacker to take control of the PC.

Elinor Mills Former Staff Writer

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.

See full bio

Elinor Mills

July 14, 2009 6:50 a.m. PT

Attackers are exploiting a new critical ActiveX hole in Microsoft Office to take control of PCs by luring Internet Explorer users to malicious Web sites, Microsoft said on Monday.

The zero-day hole, the third one announced by Microsoft in less than two months, is in Office Web Components ActiveX controls used to display and publish spreadsheets, charts, and databases to the Web.

It affects Office XP, Office 2003, Internet Security and Acceleration Server 2004 and 2006, as well as Office Small Business Accounting 2006.

The security advisory details a manual workaround, or people can use Microsoft's Fix-It tool to implement the workaround automatically.

Microsoft said it was working on a security update to patch the hole.

Antivirus vendor Sophos, meanwhile, said in a blog posting on its site that it had received reports of several Web sites, mostly in China, serving the exploit as part of a Web exploit kit that downloads and runs a Windows Executable detected as "Mal/Generic-A."