The patch sets the kill bit for affected Class Identifiers (CLSID) in vulnerable COM objects. Since certain COM objects were never intended to instantiate within Internet Explorer, this functionality has been removed. This patch also installs additional checks before a COM object can execute.
The patch also includes a kill bit for the ADODB.Stream object. The object may cause certain applications running within a corporate intranet environment to fail. For additional information see Microsoft Knowledge Base Article 870669.
The Windows operating systems and the .NET Framework do not ship with the msdds.dll library. Systems running Microsoft Office 2003, Microsoft Access 2003, Microsoft Visual Studio 2003 or Microsoft Visual 2002 SP 1 are not vulnerable. Microsoft Office XP Service Pack 3 and Microsoft Access 2002 Service Pack 3 systems are also unaffected unless the msvscp70.dll and msvcr70.dll files are placed in the same location as msdds.dll or the \%System% folder.
Users are encouraged to scan their systems for version 7.0.9064.9112 or 7.0.9446.0 of the msdds.dll file to determine vulnerability.
This vulnerability is being actively exploited in the wild as of January 9, 2009.