"Microsoft is investigating a privately reported vulnerability in Microsoft Video ActiveX Control. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. When using Internet Explorer, code execution is remote and may not require any user intervention."
"We are aware of attacks attempting to exploit the vulnerability. "
A user with the vulnerability just needs to visit a web site containing malware to exploit the security hole to become infected. Thousands of web sites have reportedly already been hacked to host the malware.