According to a Microsoft statement, "Products affected are Microsoft Office XP Service Pack 3, Microsoft Office 2003 Service Pack 3, Microsoft Office XP Web Components Service Pack 3, Microsoft Office Web Components 2003 Service Pack 3, Microsoft Office 2003 Web Components for the 2007 Microsoft Office System Service Pack 1, Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 3, Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Service Pack 3, Microsoft Internet Security and Acceleration Server 2006, Internet Security and Acceleration Server 2006 Supportability Update, Microsoft Internet Security and Acceleration Server 2006 Service Pack 1, Microsoft Office Small Business Accounting 2006."
A simpler list published elsewhere by Microsoft contains Office XP/2003/2007, BizTalk, ISA Server, and Office Accounting and Business Contact Manager. Office Web Components can also be installed separately.
A temporary fix is to apply a kill-bit to the control. This can be done automatically by using the wizard provided on Microsoft's Help and Support site, but administrators are likely to turn to other tools to deploy the kill-bit across their fleets.
The kill-bit only prevents the control being used from Internet Explorer. The control has been depreciated for some time, so it is relatively unlikely to be used by current software.
Microsoft is investigating the vulnerability, and is working on a security update that will be released at an unspecified time.
The vulnerability is being exploited - please read on.
According to Sophos, websites hosting exploits for this vulnerability are mainly located in China.
Security software vendors are addressing the issue. For example, Check Point says it has already updated its Endpoint Security and ZoneAlarm products, while Sophos is "in the process of collecting all known samples and publishing detection for them" according to the company's most recent blog posting.
Another ActiveX control is due to be fixed by Microsoft this week.
A vulnerability in the MPEG2TuneRequest ActiveX Control Object is reportedly being exploited via thousands of compromised web sites in China and other parts of Asia.
Both of these ActiveX flaws could be exploited in a "'browse and get owned' scenario" according to Microsoft security officials.
Also expected in this month's Patch Tuesday updates are fixes for the DirectShow vulnerability, a flaw affecting all currently supported versions of Windows, and flaws in Publisher, ISA Server, Virtual PC and Virtual Server.
It would be unusual if Microsoft was able to complete its testing of a patch for the Office Web Components issue in time to release an update alongside these fixes.