Unusually, Microsoft has warned users about a vulnerability in its software that it hasn't fixed yet.
Microsoft Security Advisory 972890 discusses new, limited attacks against a Microsoft Video ActiveX Control affecting Windows XP and Windows Server 2003, according to a posting by MSRC team member Christopher Budd.
"Specifically, we’re aware of a code execution vulnerability within this control that can enable an attacker to run code as the logged-on user if they browse to a malicious site.
"We have an investigation into this issue under way as part of our Software Security Incident Response Process (SSIRP) and are working to develop a security update to address the issue."
So far, investigations show there are no by-design uses for this ActiveX Control within Internet Explorer, and Microsoft is recommending that users implement a workaround that involves setting all killbits associated with this control.
"While Windows Vista and Windows Server 2008 customers are not affected by this vulnerability, we are recommending that they also set these killbits as a defense-in-depth measure. Once that killbit is set, any attempt by malicious websites to exploit the vulnerability would not succeed," Budd adds.