The "object type" vulnerability, which was first acknowledged publicly by Microsoft on 20 August this year, allows an attacker to take control of a system by embedding malicious code in a Web-page. If the Web page is viewed by an Internet Explorer browser--even a fully patched browser--the malicious code embedded in the Web-page will execute, experts say. Despite Microsoft acknowledging the patch doesn't work, it evidently has not yet issued a working fix for the vulnerability.
U.S.-based information security company iDefense released a statement over the weekend claiming the vulnerability is being actively exploited "in the wild".
"Whether you are patched or not, attackers can execute code on your computer at will when you visit a hostile website when using vulnerable versions of Internet Explorer," the statement read.
The relevant Microsoft bulletin was issued on 20 August and last updated on 8 September.
"Subsequent to issuing this security bulletin, Microsoft received reports that the patch provided with this bulletin does not properly correct the Object Type Vulnerability," Microsoft's security bulletin reads. "Microsoft is investigating these reports and will re-issue this bulletin with an updated patch that corrects these problems."
Managing director of mail filtering software company Clearswift, Chy Chuawiwat, told ZDNet Australia the vulnerability is serious. "It's definitely there and it continues to be easy to exploit," he said. "It could run anything and the users wouldn't know."
Chuawiwat suggests users disable ActiveX controls and plug-ins until Microsoft issues a patch that fixes the vulnerability. "For most enterprises there's no need for ActiveX so it should be disabled," he said. "Our standard policy would remove executables including ActiveX."
Users can disable ActiveX controls in their Internet Explorer settings by clicking Tools, Internet Options, Security, and then modifying the settings for the "Internet Zone". Ironically, in order to patch the system through Microsoft's Windows Update Web site when a fix becomes available, users must allow ActiveX controls and plug-ins to run in the Internet zone.