Microsoft confirmed that there has been recent reports of attacks on Internet Explorer using a previously unknown flaw in its VML. VML stands for Vector Markup Language, and is used to display graphic information on the web. This type of malicious code is called exploits. As the name suggests, exploits are code and software created to take advantage of security vulnerabilities in programs and operating systems. They are often used to install malware onto an unsuspecting victim’s computer. This particular exploit allows the attacker to execute arbitrary code on the user’s system, installing a host of malware onto the system.
The attack was first reported by researchers of the Sunbelt Software, Inc. on September 18, and is currently hosted on on a handful of sites. But based on previous browser-oriented attacks it might not be long before legitimate sites are affected. This attack works on all versions of Windows running the IE 6 browser, including fully-patched machines. It is believed that an exploit kit called Web Attacker has been updated to include code to exploit this vulnerability. This exploit kit is sold underground and can be used to easily develop malware.
This is the second attack on an IE vulnerability following a long string of attacks on the company’s Office Suites. The first occurred last week and involved a flaw in the handling of multimedia component of the browser. Microsoft has issued a security advisory saying that a patch to handle this vulnerability is scheduled for release on October 10 or sooner depending on the severity of the problem. It’s been suggested that users can avoid this VML attack by disabling Javascript from their IE or by using alternative web browsers.