Cyber criminals are populating the Internet with Web sites designed to exploit several recently- discovered security holes in a half-dozen widely used ActiveX plug-ins for IE 6 and 7, most notably the one offered by Facebook , Orkut and MySpace to help users upload photos. The sites, advertised via links in email and instant message spam, also ‘probe for other vulnerable IE plug-ins, including two recently discovered from Yahoo! and one for QuickTime (this one attacks a vulnerability Apple patched just last month). The sites also throw in an exploit against a six-month-old IE flaw.The plugins also makes the windows registery REGEDIT.EXE vulnerable to attacks and hacks.

ActiveX” itself may not be not necessarily the problem. ActiveX is a commonly used format for packaging native code in a way that it can be used by Internet Explorer. If that code contains a flaw, then Internet Explorer can be used as an attack vector for that buggy code. For example, if that code is written in C and it doesn’t properly handle strings, it may be vulnerable to a stack overflow that can reached by viewing a web page. That holds true whether that code is packaged as an ActiveX control or a Netscape-style plugin, or Opera widgets.

Plug-ins (including ActiveX) are dangerous. ActiveX is much more weak than Netscape-style plugins. Nearly every windows application comes with ActiveX or COM objects, but it’s very rare for them to install Netscape-style plugins. Therefore, using Internet Explorer with ActiveX enabled for all sites on the internet (the default configuration) is dangerous because you’re relying on all of these components to be written in secured manner.

Though the IE7 has a alternative feature called ActiveX opt-in, which requires the user to accept a prompt before running controls installed by most stand-alone applications, but even that is not good enough to stop hackers from breaking into your computer. Mozilla on the other hand implements Web 2.0 using Ajax/JSON et al, there is a bit of a growing movement in non-standards based environments: Flash and Silverlight are emerging as full fledged OS-like environments inside the browser, and till now they have not been found to these attacks.

So Be careful not to log in through IE into any mail or your password protected pages, as it might lead to possible hack, take this precaution till these newly discovered loopholes are fixed.