Dodgy porn sites tap IE flaw

Miscreants are using an unpatched security bug in Internet Explorer to install malicious software from rigged websites, experts warned on Tuesday.

The vulnerability lies in the way IE 6 handles certain graphics. Malicious software can be loaded, unbeknown to the user, onto a vulnerable Windows PC when the user clicks on a malicious link on a website or an email message, several security companies said.

Ken Dunham, director of the rapid response team at VeriSign's iDefense, said in an emailed statement: "Fully patched Internet Explorer browsers are vulnerable. This new zero-day attack is trivial to reproduce and has great potential for widespread web-based attacks in the near future."

Security-monitoring companies the French Security Incident Response Team and Secunia have given the issue their most serious ratings.

Shady adult websites are among the first to exploit the IE vulnerability, Eric Sites, vice president of research and development at spyware specialist Sunbelt Software, wrote on a corporate blog. In one case, a malicious website used the exploit to install "epic loads of adware", according to Sunbelt.

Microsoft plans to fix the flaw as part of its monthly patching cycle on 10 October, the software giant said in a security advisory. The update might be released sooner, "depending on customer needs", it added. Typically, Microsoft only breaks its patch cycle when attacks are widespread.

The number of attacks may rise quickly, according to web security company Websense. It appears that WebAttacker, a tool often used to create attack sites, has been fitted with the new exploit, Websense said in an emailed statement. "We have confirmed multiple, previously known, WebAttacker sites that are currently exploiting this vulnerability to install malicious software," it said. "We expect to see many of the several thousand WebAttacker sites begin to utilise the exploit, as they update to the latest release of the tool kit."

The company added in its advisory: "Microsoft is aware that this vulnerability is being actively exploited." While it works on an update, Microsoft recommends users keep their security software updated and take caution when browsing the web. In its advisory, it also provides several workarounds to protect systems against the flaw.

The vulnerability lies in a Windows component called "vgx.dll". This component is meant to support Vector Markup Language documents in the operating system. VML is used for high-quality vector graphics on the web.

This is the second known and unpatched flaw for IE to surface in as many weeks. Last week Microsoft confirmed a flaw in an ActiveX control related to multimedia. Attack code that exploits the flaw and could be used to hijack Windows PCs running IE 5 or IE 6 has been posted on the net. Microsoft also has yet to provide a patch for a Word 2000 flaw being exploited in targeted cyber attacks.

Joris Evers writes for CNET News.com