Yes that is right, you read that correctly. After so many years and so many acts against ActiveX there is still a ActiveX controller that can be exploited and used against a person today, even in IE8. Microsoft's latest browser and the browser to be included in Win7, except for the E versions.
The flaw can only be exploited when a user clicks a link. So if you get yoru email via a software client like Outlook you are relatively safe as it should be caught by the spam filter.
While many people are crying out that there should be a patch, the Security Experts at Microsoft have a different opinion:
It has been suggested by the Security Advisory that you disable these Controls. but with a possible 45 Registry Entries that have to be edited it can be a long and drawn out process. There is a much simplier way. (Thanks to BetaNews for this information)
1. Open Security Advisory 972890 and scroll down to General Information. Open the Suggested Actions tier, followed by Workarounds, and scroll down until you see the long list marked Class Identifier.
2. Start the Windows Registry Editor (REGEDIT). (For Vista, you may need to click on Continue at the UAC prompt.)
3. In the left pane, open the folder corresponding to the Registry tier \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility. The good news here is that all the CLSIDs in this segment of the Registry, and all the CLSIDs in Microsoft's warning list, are in hexadecimal numerical order, so you won't have to search each one from top to bottom.
4. Scan the Registry to see if any of the CLSIDs correspond exactly to any of the 45 Registry items flagged by Microsoft. More than one may correspond. If none correspond, you are already safe from this exploit. Betanews was unable, for example, to find any of the 45 Registry entries on our Windows XP or Vista systems, and we don't expect to see it in Windows 7.
5. If you do find an offending CLSID, then do not delete it. That actually won't change anything at all, believe it or not. Instead, choose its entry from the left pane.
6. Check the right pane for a value named Compatibility Flags. If it does not yet exist, you'll need to create it. Right-click on the empty space in the right pane, and from the popup menu, select New, Binary Value. A new listing will be created that moment, which you'll need to rename. Type Compatibility Flags and Enter.
7. Right-click on Compatibility Flags and from the popup menu, select Modify. In the Edit DWORD Value dialog box, under Value data, type 400, leave the Base setting on Hexadecimal, then click on OK. Repeat this process for all the remaining CLSIDs in Microsoft's list.
What this does is set the kill bit for the control. It's still registered (and it's still taking up space on your hard drive, doing nothing), but now it's at least turned off, so it can't be leveraged in an attack.
Source
The flaw can only be exploited when a user clicks a link. So if you get yoru email via a software client like Outlook you are relatively safe as it should be caught by the spam filter.
While many people are crying out that there should be a patch, the Security Experts at Microsoft have a different opinion:
It has been suggested by the Security Advisory that you disable these Controls. but with a possible 45 Registry Entries that have to be edited it can be a long and drawn out process. There is a much simplier way. (Thanks to BetaNews for this information)
1. Open Security Advisory 972890 and scroll down to General Information. Open the Suggested Actions tier, followed by Workarounds, and scroll down until you see the long list marked Class Identifier.
2. Start the Windows Registry Editor (REGEDIT). (For Vista, you may need to click on Continue at the UAC prompt.)
3. In the left pane, open the folder corresponding to the Registry tier \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility. The good news here is that all the CLSIDs in this segment of the Registry, and all the CLSIDs in Microsoft's warning list, are in hexadecimal numerical order, so you won't have to search each one from top to bottom.
4. Scan the Registry to see if any of the CLSIDs correspond exactly to any of the 45 Registry items flagged by Microsoft. More than one may correspond. If none correspond, you are already safe from this exploit. Betanews was unable, for example, to find any of the 45 Registry entries on our Windows XP or Vista systems, and we don't expect to see it in Windows 7.
5. If you do find an offending CLSID, then do not delete it. That actually won't change anything at all, believe it or not. Instead, choose its entry from the left pane.
6. Check the right pane for a value named Compatibility Flags. If it does not yet exist, you'll need to create it. Right-click on the empty space in the right pane, and from the popup menu, select New, Binary Value. A new listing will be created that moment, which you'll need to rename. Type Compatibility Flags and Enter.
7. Right-click on Compatibility Flags and from the popup menu, select Modify. In the Edit DWORD Value dialog box, under Value data, type 400, leave the Base setting on Hexadecimal, then click on OK. Repeat this process for all the remaining CLSIDs in Microsoft's list.
What this does is set the kill bit for the control. It's still registered (and it's still taking up space on your hard drive, doing nothing), but now it's at least turned off, so it can't be leveraged in an attack.
Source
