Microsoft yesterday warned of a new attack underway against a flaw in the ActiveX control for the Snapshot Viewer for Microsoft Access, used by IE. There is not yet any patch available for the zero-day security hole, and the attacks likely focus on business targets.
In its security advisory, Redmond says the vulnerable control installs with "all supported versions of Microsoft Office Access except for Microsoft Office Access 2007. The ActiveX control is also shipped with the standalone Snapshot Viewer." A poisoned Web page that exploits the hole could surreptitiously download malware to a victim PC.
"Active, targeted attacks" are underway on a relatively small scale, according to the advisory.
The US-CERT vulnerability report doesn't inspire hope: "We are currently unaware of a practical solution to this problem." You can set what's known as a kill bit for this particular ActiveX control to prevent it from running in IE, but doing so could prevent you from viewing Access report snapshots, and it involves mucking with the Windows Registry. See this Microsoft Support Page for kill bit instructions (the CLSID is in the security advisory).
The US-CERT report also says that IE 7's ActiveX opt-in feature should help mitigate the vulnerability, which the Microsoft advisory surprisingly doesn't mention. That should mean that you'd get a prompt before running the control on a poisoned page, and would have a chance to stop it before it attacked your computer.
If you have the choice, it may be a good idea to use Firefox until this hole is fixed.