The bug, in a Microsoft Video ActiveX control, can be leveraged to run code on users' PCs if they are duped into visiting a malicious website through Internet Explorer, Chistopher Budd, a security program manager at Microsoft, said in a blog post Monday.
"In a web-based attack scenario, an attacker could host a website that contains a web page that is used to exploit this vulnerability," according to a Microsoft advisory issued Monday. "In addition, compromised websites and websites that host user-provided content or advertisements could contain specially crafted content that could expoit this vulnerability."
He said the ActiveX control in question has "no by-design uses" so, as users await a patch, they should set the kill bit for it. Customers running Windows Vista and Server 2008 are not affected by the vulnerability, but Budd recommended that they set the kill bit as well for additional protection.
"Once that kill bit is set, any attempt by malicious websites to exploit the vulnerability would not succeed," Budd wrote.
Researchers at Symantec said Monday that the hole mostly is being exploited in Asia, particularly China, where thousands of hacked websites have been seeded with attack code.