Microsoft confirms attacks against Windows XP

This is the second attack that Microsoft has announced in six weeks.

Microsoft said that users accessing IE6 or IE7 on Windows XP and Windows Server 2003 are susceptible to attacks. Vista and Server 2008 are safe. There is also no risk to those using IE8.

Attacks launched on websites
The company's security team issued an advisory confirming that thousands of legitimate websites had been hacked over the weekend thus allowing the attackers to launch codes on the PC in case the user visits malicious Web sites.

Marc Fossi, manager of research development for Symantec Security Response, said that many Chinese Web site as well as a Russian Embassy site in Washington, D.C, have come under attacks. But the extent of attacks globally is yet not confirmed.

Chengyun Chu, of the Microsoft Security Response Center's engineering team, stated in his blog post, "A browse-and-get-owned attack vector exists."

"A user needs to be lured to navigate to a malicious Web site or a compromised legitimate Web site to be affected ... [but] no further user interaction is needed." He added.

Protective measures suggested by Microsoft
Microsoft has assured that it would patch the bug soon, but in the meantime has urged users to set 45 "kill bits" in the flawed ActiveX control in IE for Windows XP and Windows Server 2003.

"We identified that none of the ActiveX Control Objects hosted by msvidctl.dll are meant to be used in IE," said Chu. "Therefore, we recommend to kill-bit all of these controls as a defense-in-depth practice. The side effect is minimal."

As a "defense in depth" measure, Microsoft has also recommended users to disable the use of ActiveX control in Vista and Server 2008.