Damsun Security

 Another zero-day exploit for Microsoft systems appeared this weekend, capable of compromising fully patched system running Internet Explorer 6 and 7 when a user visits a malicious website.

Microsoft has issued an advisory on the ActiveX vulnerability and exploit, first discovered by Secunia and labeled as "extremely critical." All Microsoft systems except Windows Server 2003 are vulnerable. Users may fall victim just by visiting a maliciously crafted website.

Deflecting responsibility for the situation, Microsoft advises users affected by the zero-day exploit to, "contact their local FBI office or post their complaint on the Internet Fraud Complaint Center Web site. Customers outside the U.S. should contact the national law enforcement agency in their country." The vulnerability affects hundreds of millions of computer systems, however. Of those vulnerable, it is not known how many users will visit malicious websites that contain the exploit before an official patch appears from Microsoft.

Client side zero-day exploits are very dangerous because they evade the defenses of fully patched systems, often without any warning. Users are cautioned against visiting unknown websites using Microsoft Windows and all versions of Internet Explorer - including IE 7, marketed by Microsoft as "a major step forward" in security over IE 6.