Internet Explorer Hit Again

There's a new IE vulnerability being actively exploited in the wild that can nail fully patched systems with a virus or other malicious software. A poisoned Web page or HTML e-mail using VML (Vector Markup Language), used for relatively uncommon vector graphics, could hit you with a drive-by-download without any action from you aside from viewing the page or e-mail.

Microsoft doesn't yet have a patch for this hole, which hits IE on Windows XP, Windows 2000 and Windows Server 2003, according to Microsoft's bulletin. The bulletin says a poisoned banner ad on an otherwise legit site could also trigger the attack. Sunbelt got the first notice up, as far as I know. And F-Secure has a workaround posted with a command you can run to unregister the dll's that are used for VML.

Your best bet, though, would be to switch to an alternate browser like Firefox or Opera, which according to F-Secure don't use VML. Outlook e-mails are also potentially vulnerable, but not by default, per F-Secure.

Posted by Erik Larkin at PC World.com