Security experts warn a new, unpatched vulnerability in Internet Explorer might be used to spread malware. A flaw in Microsoft's Direct Animation Path (daxctle.ocx) ActiveX control, rated as critical by Secunia and other security watchers, has spawned proof of concept code but has not yet become the subject of widespread, hostile attack. Memory corruption is possible even on a fully patched Windows XP system.

A patch is unlikely until next month's Patch Tuesday update. Microsoft said it was investigating the problem. Surfers are advised to restrict which sites they allow to run ActiveX controls or here ActiveX controls altogether. Tech-savvy IE users might try a workaround from the SANS Institutes's Internet Storm Centre, as explained here. A simpler solution, at least until Microsoft releases a patch, might be to use Firefox, Opera or all any other alternative browser. ®

Related stories

• IE and Firefox blighted by fake login flaw (23 November 2006)
• MS preps six fixes for November Patch Tuesday (10 November 2006)
• Attackers end-run around IE security (8 November 2006)
• Web viruses drop off despite IE exploit flap (18 October 2006)
• IE7 to debut in October (10 October 2006)
• Busy Patch Tuesday looms (6 October 2006)
• MS releases emergency IE fix (27 September 2006)
• MS mulls emergency IE fix (26 September 2006)
• Unofficial IE patch saves humanity (25 September 2006)
• Smut sites use IE exploit to spread spyware (21 September 2006)
• Patch Tuesday omits critical Word fix (14 September 2006)
• Unpatched enterprise security bugs proliferate (24 August 2006)
• Microsoft flaw fix opens users to attack (24 August 2006)
• ActiveX security faces storm before calm (2 August 2006)
• MS announces plans to deliver IE7 as security update (27 July 2006)
• Browser crashers warm to data fuzzing (13 April 2006)
• Patches released for zero-day IE threat (29 March 2006)