The problem is caused by a a registered ActiveX control that fails to restrict which domains may load the control for execution, security company Symantec reports.

The company states that around 40 issues involving this type of vulnerability have been discovered since May 2007. Furthermore, it appears that these types of vulnerabilities are growing.

The list of products most-likely to be affected by this flaw includes VMware, Microsoft Visual Studio, NCTSoft, and HP Photo Digital Imaging.

Besides having the “delete” option available, the attackers can also create or append to arbitrary files. For instance, the attacker might schedule the execution of arbitrary code during the next reboot or logon session and the user won’t be able to do anything to prevent this, given the fact that the object is within a signed ActiveX control.

Users are advised to avoid visiting unknown sites (the exploitation requires a visit on a malicious web page) and to deny all requests of loading un-trusted ActiveX controls.