Summary:  On September 14 2006 Microsoft released security advisory 925444.  This advisory addresses a vulnerability in an ActiveX control that could allow for a remote attacker to gain control of a victim system.  The most probable vector of exploitation is the viewing of a specifically-crafted website, either by browser or clicking a link in an email message.  At the time of this writing (11:48 AM EST 9/15/06) several Internet Security-Related agencies are reporting the existence and public release of proof-of-concept code to exploit this vulnerability.  No patch has yet been made available by Microsoft to definitively fix the issue.  Security Advisory 925444 does offer some advice on best practices to minimize the risk of exploit and also some technical workarounds (though each of these carries some associated caveats).

Recommended Actions:  Persons who manage, maintain or use Windows 2000, 2003, and XP systems that run IE 5.01 or 6 are encouraged to read Security advisory 925444 (and the other associated information; links are provided below) to obtain a better understanding of the vulnerability and the risks/benefits of the vendor-suggested workaround options.

ITS Actions: At this time, ITS is taking no specific additional actions to address this software vulnerability.  An update will be issued if the situation changes.


Resources:

Microsoft Security Advisory 925444:
http://www.microsoft.com/technet/security/advisory/925444.mspx

SANS Article on the vulnerability:
http://isc.sans.org/diary.php?storyid=1705

Secunia Advisory:
http://secunia.com/advisories/21910/

FrSirt advisory:
http://www.frsirt.com/english/advisories/2006/3593