The vulnerability was officially reported at the end of May 2009, in Microsoft’s Security Advisory 971778 Bulletin regarding a potential vulnerability in Microsoft DirectShow which could allow remote code execution.

"Microsoft is investigating new public reports of a new vulnerability in Microsoft DirectX. The vulnerability could allow remote code execution if user opened a specially crafted QuickTime media file. Microsoft is aware of limited, active attacks that use this exploit code. While our investigation is ongoing, our investigation so far has shown that Windows 2000 Service Pack 4, Windows XP, and Windows Server 2003 are vulnerable; all versions of Windows Vista and Windows Server 2008 are not vulnerable. Microsoft has activated its Software Security Incident Response Process (SSIRP) and is continuing to investigate this issue."

Over the July 4th Weekend, several hundred web-sites were found to be infected with the exploit which downloaded Trojan code that allows a remote attacker to take full control of a user’s system and run malicious code or use the system as part of a botnet. Although Microsoft stated in their bulletin;

"In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to convince them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site. After they click the link, they would be prompted to perform several actions. An attack could only occur after they performed these actions."

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

In fact Microsoft could not have been further wrong. Attackers have been infecting everyday web-sites by injecting code malicious code which takes the user from the infected site (infected site #1) to in some cases a second hijacked site (infected site #2). The infected second site then links innocent victims to a malicious site which in turn downloads the malware to their PC as shown in the diagram below.

                                     (c) McAfee: New Attacks Against Internet Explorer

Directshow versions 7, 8 and 9 in Windows 2000, Windows XP and Windows Server 2003 are all vulnerable. Windows Vista and Windows 2008 have not been affected by the exploit as DirectShow has been replaced by the Windows Media Foundation in the  operating system.

In the absence of any available patches, the current recommended strategy is to use group policies to disable the ActiveX control from running in Internet Explorer on all systems whilst Microsoft tries to resolve the problem or to go to http://support.microsoft.com/kb/971778 and click on the large Fixit button at the bottom of the article.

References
McAfee: New Attacks Against Internet Explorer
Microsoft Security Advisory 971778: Vulnerability in Microsoft DirectShow
Microsoft Support: How to stop an ActiveX control from running in Internet Explorer
Microsoft Support: Workaround to Directshow Vulnerability