Latest IE Zero Day Has XML Designs
Page 1 of 1
UPDATED: Security researchers are alleging that a zero-day exploit for Microsoft's Internet Explorer is in the wild.
The vulnerability stems from a buffer overflow condition in IE for an XML component called Vector Markup Language (VML). VML handles vector images that are specified via XML inside of an HTML page.
According to Verisign's iDefense Labs division, attackers are using the vulnerability as an attack vector to download Trojans or other arbitrary code on users' PCs.
According to Ken Dunham, director of Rapid Response Team at iDefense, fully patched Internet Explorer browsers are vulnerable to the VML buffer overflow condition, and exploits are in the wild.
Dunham noted that the attack is easily reproduced and has widespread attack potential in the near term.
"Microsoft has now confirmed that it is aware of the vulnerability and the fact that exploit code is in the wild," a company spokesperson told internetnews.com.
A security update is now being finalized through testing to ensure quality and application compatibility and is on schedule to be released as part of the October security updates on October 10, 2006, or sooner as warranted.
For now, Microsoft has published a Security Advisory, which details steps customers can take to protect themselves against attempts to exploit the vulnerability.
In its evaluation of the virus, Symantec Andy Patrizio contributed to this story.
Andy Patrizio contributed to this story.