On the Microsoft Secure Windows Iniative blog, software engineer Chengyun discusses the default behaviour of ActiveX controls embedded in Office documents. The software giant also provides information on how can an attacker abuse ActiveX and how Office users can change the behavior of ActiveX controls embedded in Office documents.
From the article:
Attackers have discovered ActiveX support in Office applications and have been using it to more effectively lure victims to web-based malware. They have recently used the “Microsoft Scriptlet Component” to navigate victims to a website exploiting a patched Internet Explorer vulnerability (CVE 2009-0075, fixed by security bulletin MS09-002). Seems like attackers have discovered it is easier to trick a user to open a Word document attached to email compared to luring a user to click a dubious-looking link.
Chengyun also provides step-by-step instructions on configuring Office 2007 for users concerned about Safe-for-Initialization ActiveX controls being instantiated by Office without prompt.
For more on this type of attack, check this entry at Trend Micro’s malware blog.
