The SANS Institute’s Internet Storm Center raised its Infocon threat level from green to yellow, and said it believes widespread malicious use of this vulnerability is imminent.

The exploit was released late Wednesday, and Microsoft said yesterday it is aggressively investigating the reported vulnerability, but is not aware of attacks that try to use the reported vulnerabilities.

Vulnerabilities such as this, where exploit code is created before the vendor has published details of the bug, are known as zero days. There are no official patches available.

The vulnerability is in a COM object, msdds.dll, which is dropped by various Microsoft applications including newer versions of Office, the .NET Framework, and Visual Studio.NET, but which is not installed on Windows by default

The attack would require the user to view a web page created by the attacker. The attack would be conducted using an ActiveX control, and would allow the attacker to run code of his choice on the vulnerable machine.

According to SANS, which has tested the exploit, the code as published opens a remote shell with the same privileges as IE, but other payloads are possible. Such bugs are ideal vectors for drive-by spyware installations.

SANS said it has temporarily upgraded its Infocon threat level to highlight the need for speedy action. The last time it went to yellow was a week ago, when the Zotob Windows 2000 worm was unleashed onto the internet.

Since there is no patch, Microsoft suggests concerned users disable or block the affected DLL. This will break applications that use it, but will keep IE safe from attack. More details are at: http://www.microsoft.com/technet/security/advisory/906267.mspx

The best workaround, of course, is to switch to another browser, even if only temporarily while a patch is developed. Since ActiveX is required to execute the attack, a browser that does not support ActiveX, such as Firefox, is not vulnerable.

The exploit was evidently first published by FrSIRT, the French Security Incident Response Team, which said it was reported by an anonymous person. This narked Microsoft.

Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk, the company said in a statement.