This is a bad one if you are running Windows XP or Windows Server 2003 with Internet Explorer. If you are running Windows Vista, Windows 7 or Windows Server 2008 then you are not affected

The bad part about this is that all it takes for you is to visit a bad site. If you are using Chrome (like me), FireFox or Safari then you are not affected by this. Microsoft really should redesign IE from scratch and get rid of all that ActiveX baggage/nonsense, it is not worth it, it only causes troubles. Almost every IE vulnerability is ActiveX based.

_Mitigating Factors:

Customers who are using Windows Vista or Windows Server 2008 are not affected because the ability to pass data to this control within Internet Explorer has been restricted.

By default, Internet Explorer on Windows Server 2003 and 2008 runs in a restricted mode that is known as Enhanced Security Configuration. Enhanced Security Configuration is a group of preconfigured settings in Internet Explorer that can reduce the likelihood of a user or administrator downloading and running specially crafted Web content on a server. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. See also Managing Internet Explorer Enhanced Security Configuration.

By default, all supported versions of Microsoft Outlook and Microsoft Outlook Express open HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps mitigate attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.

In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

There are 2 ways to do something about this

1) Visit Microsoft Security Advisory (972890) and look in the workaround section where you will find a way so that you can disable attempts to instantiate a COM object in Internet Explorer by setting the kill bit for the control in the registry.

2) Use the fix it button on this page http://support.microsoft.com/default.aspx/kb/972890

Here is a partial list of domains that are exploiting this hole

q23r.cn

wf3gr.8800.org

ads.v8dc.com

name81.8u60.8u.cn

wvg7.cn

ma.o524q.cn

laibuji.w528e.cn

girlfired.d821e.cn

w1.7777ee.com

w2.7777ee.com

w3.7777ee.com

w8.7777ee.com

w9.7777ee.com

milllk.com

haha999b.com

babi2009.com

haha888l.com

xin765.com

A complete list can be found here: http://isc.sans.org/diary.html?storyid=6739