UPDATED: Security researchers are alleging that a zero-day exploit for Microsoft’s Internet Explorer is in the wild.
The vulnerability stems from a buffer overflow condition in IE for an XML component called Vector Markup Language (VML). VML handles vector images that are specified via XML inside of an HTML page.
According to Verisign’s iDefense Labs division, attackers are using the vulnerability as an attack vector to download Trojans or other arbitrary code on users’ PCs.
According to Ken Dunham, director of Rapid Response Team at iDefense, fully patched Internet Explorer browsers are vulnerable to the VML buffer overflow condition, and exploits are in the wild.
Dunham noted that the attack is easily reproduced and has widespread attack potential in the near term.
Until a patch from Microsoft becomes available, Dunham advises that IE users disable JavaScript.
“Microsoft has now confirmed that it is aware of the vulnerability and the fact that exploit code is in the wild,” a company spokesperson told internetnews.com.
A security update is now being finalized through testing to ensure quality and application compatibility and is on schedule to be released as part of the October security updates on October 10, 2006, or sooner as warranted.
For now, Microsoft has published a Security Advisory, which details steps customers can take to protect themselves against attempts to exploit the vulnerability.
In its evaluation of the virus, Symantec suggested disabling JavaScript in IE or using another browser. A security update that will address the vulnerability is currently being prepared by Microsoft, but it’s not currently expected until Oct 10th.
Andy Patrizio contributed to this story.