Microsoft released an advisory today that an unpatched vulnerability in the Office Web Components ActiveX control allows an attacker to run arbitrary code as the logged-in user. Worse yet, this is being actively exploited in the wild. Fortunately it is easy to protect against.

For the technical details, please see the SANS Internet Storm Center post, and the official Microsoft advisory.

Here’s the short version and how to protect yourself:

  1. This is a flaw in the spreadsheet ActiveX control that comes with Office. It only works if you visit a malicious link with Internet Explorer, and have a vulnerable version of Office installed (if you have Office, it’s safest to assume you are vulnerable).
  2. This does not affect Outlook, unless you click on an email link that opens Internet Explorer.
  3. It is actively being exploited by bad guys on the Internet, and Microsoft is working on a patch.
  4. If you switch to another browser, you are safe.
  5. If you still need to use IE, you can click on this link for a tool that will help disable the control. Don’t try this if you are on a work computer without talking to IT.

And that’s it – no reason to panic, with plenty of ways to protect yourself. You can now safely ignore all the scary emails you’ll be getting any moment from various security vendors…

(This is unrelated to the other ActiveX 0day that popped up last week and is also being actively exploited).