A new zero-day attack affecting fully patched IE 6 browsers has been discovered. VeriSign's iDefense have confirmed that numerous dodgy porn websites are already exploiting this flaw, which concerns the way that the oh-so-secure IE 6 handles graphics. A problem with the Windows component called "vgx.dll" is responsible.
Malicious software can be loaded, unbeknown to the user, onto a vulnerable Windows PC, and all it takes to make this happen is the user clicking a malicious link. French Security Incident Response Team and Secunia have given the problem their most serious rating, and already evidence has been uncovered that nasty porno sites are using this flaw to install vast amounts of adware on to people’s machines. Isn’t the Internet a lovely place?
Microsoft plans to fix the flaw as part of its monthly patching cycle on 10 October, but this will mean that the problem will persist for even diligent users until that time. The fix will not come anywhere near soon enough, according to Websense, who expect that the number of attacks utilising this flaw will explode.
"We have confirmed multiple, previously known, WebAttacker sites that are currently exploiting this vulnerability to install malicious software," Websense said. "We expect to see many of the several thousand WebAttacker sites begin to utilise the exploit, as they update to the latest release of the tool kit."