Attackers are exploiting the just-patched vulnerability in Internet Explorer (IE) by hiding malicious ActiveX controls in Microsoft Word documents, according to security researchers.
"Inside the document is an ActiveX control, and in that control is a line that makes it call out to the site that's hosting the malware," said David Marcus, the director of security research and communications for McAfee's Avert Labs. "This is a pretty insidious way to attack people, because it's invisible to the eye, the communication with the site." Embedding malicious ActiveX controls in Word documents isn't new - Marcus said he had seen it "a time or two" - but using an ActiveX control to ping a hacker's server for attack code is "definitely an innovation," he added. "They're stepping it up."