"The vulnerability exists specifically in the Spreadsheet ActiveX Control and could allow an attacker who successfully exploited this vulnerability the same user rights as the local user," advisory said. "We are aware of limited, active attacks attempting to exploit this vulnerability."

Browse and Get Owned

According to Microsoft, this vulnerability could be used for remote code execution in a "browse and get owned" scenario. User interaction is required, since a user needs to go to a malicious Web site that hosts the exploit.

"The last couple of weeks have been interesting for anybody following Microsoft security," said Wolfgang Kandek, CTO of Qualys. "Beyond the DirectShow vulnerability zero day at the end of May, Microsoft has been forced to acknowledge two other zero-day vulnerabilities."

Kandek noted that both are related to ActiveX. The first vulnerability was discovered in a video component. Since Internet Explorer browsing of Web sites with exploit code embedded is the main attack vector, Kandek said it would certainly fuel the discussion about the use of alternative browsers.

"Microsoft has quickly provided easy-to-use workarounds for both vulnerabilities via their Fixit program," he said, "but it is not clear why they have waited for over a year to provide a fix for the underlying coding problems which they were notified of in the spring of 2008."

Plugging ActiveX Holes

Last week, Microsoft issued a security advisory about a vulnerability in its Video ActiveX Control. Microsoft issued a patch Tuesday to plug two critical Windows security holes related to ActiveX.

The updates will plug a zero-day vulnerability within Microsoft TV Technologies that can be exploited through Internet Explorer. Microsoft TV Technologies is an ActiveX control that comes with Windows XP and is installed by default.

Reports indicate thousands of Web sites have been compromised and are now hosting the exploit for this issue. The exploit files are detected as Downloader.Fostrem (previously detected as Downloader). The downloaded files are detected as Trojan Horse, Backdoor.Trojan, Infostealer and Downloader.

Windows XP users with Internet Explorer 6 and 7 are at risk, but those with Internet Explorer 8 installed are not vulnerable. Preliminary testing shows that computers running Windows Vista are not affected by the vulnerabilities.

ActiveX Workarounds

For the latest zero-day vulnerability, Microsoft has offered a workaround. For example, ActiveX controls will not load in the Internet zone on Windows Server 2003 or Windows Server 2008 if a user uses default settings when browsing, due to the enhanced security configuration .

What's more, Microsoft said, if Office Web Components is not installed on the computer and the user visits a page hosting the attack, then Internet Explorer 7 or 8 will show the gold-bar prompt requesting permission to install the ActiveX.

Outlook and Outlook Express are not affected because both open HTML mails in a zone where ActiveX is restricted. However, if a user follows a link to a malicious Web site, attackers could exploit this vulnerability.