Microsoft released a critical security update for MSCOMCTL.OCX. Windows Update will replace the vulnerable version of the ActiveX control that shipped with various Microsoft products (Office, SQL Server, etc.). But if you installed a private copy of this file in your application folder, it will not be replaced by Windows Update. Instead, you should send an update to your customers, as noted in the FAQ section of Microsoft Security Bulletin MS12-060:
I am a third-party application developer and I use the ActiveX control in my application. Is my application vulnerable and how do I update it?
Developers who redistribute the ActiveX control should ensure that they update the version of the ActiveX control installed with their application by downloading the update provided in this bulletin. For more information on best practices on redistributed component ... [GD: Click through for links]
If you're shipping this OCX, not referencing an already installed copy, but shipping your own, private version say side-by-side, etc, then you'll likely need to deploy this updated version.