Microsoft has issued a Security Advisory (925568) that confirms Internet Explorer is vulnerable to an overflow fault in its Vector Markup Language (VML). The note says:
A security update to address this vulnerability is now being finalized through testing to ensure quality and application compatibility Microsoft's goal is to release the update on Tuesday, October 10, 2006, or sooner depending on customer needs.
However, "If you are a Windows Live OneCare user and your current status is green, you are already protected from known malware that uses this vulnerability to attempt to attack systems."
Microsoft has published a workaround, which involves disabling (unregistering) vgx.dll, and this seems the simplest approach. Full details are in the advice note, under Workarounds, in the section called: Un-register Vgx.dll on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1
If you are a company with a Windows Domain, you should use Group Policy to block the attack, as explained on Jesper Johansson's blog.
Another workaround is, of course, to use a different browser, such as Firefox or Opera.
The VML exploit was first described in public on Monday on the Sunbelt blog, after it was found on a small number of hardcore porn sites. The vulnerability allows the site to download a long list of Trojans, adware and other malware, as Sunbelt explains here.
The danger, of course, is that the exploit could be used on sites that are commonly visited by more innocent users, in which case Microsoft might decide to release the fix before "patch Tuesday".
