An ActiveX flaw in Microsoft XML Core Services 4.0 is actively being exploited by hackers to take control of computers running Windows 2000, XP SP2 or Server 2003, security firms and Microsoft are reporting.
What's worse, for both Redmond and users, is that the flaw is related to a vulnerability supposedly patched in October's patch release, the largest group of patches put out so far. Likely, that patch called attention to further holes.
Secunia is calling the problem "extremely critical." Microsoft has not announced whether it will release an out-of-cycle patch or wait until the next Patch Tuesday; it suggests workarounds involving that old saw -- disabling ActiveX.