An unpatched Internet Explorer exploit discovered in the wild this week could quickly spread to thousands of malicious websites as soon as this weekend, warn security researchers.
The exploit, which takes advantage of a bug in the way IE6 and earlier versions handle VML (Vector Markup Language), has been turned into a module in a Russian exploit toolkit called WebAttacker, researchers have confirmed. WebAttacker is designed to make it a simple matter to build a malicious website, even assessing the visitor's operating system and browser version and choosing the most effective exploit to use.
The VML flaw has been built into the latest version of WebAttacker, according to Sunbelt Security, Symantec and others.
While only about 20 sites are currently hosting the exploit, as many as 10,000 sites either host or point to various versions of WebAttacker, said Dan Hubbard, head of research at security company Websense, according to a report. That means the number of sites hosting the VML bug could quickly rise if WebAttacker users decide to upgrade.
The process seems to have begun already, with Internet Security Systems' X-Force research lab reporting on Wednesday that the number of sites hosting the exploit had trebled in a day.
Researchers also noted that a second generation of the exploit appeared a few hours after Sunbelt first noticed the original exploit. The upgrade delivers more malware once systems have been penetrated.
The exploit is continuing to evolve rapidly, researchers said. Proof of concept code has appeared for a version that would do away with the use of scripting, which would mean users couldn't protect themselves by disabling scripting in Explorer, and would make it easier for the exploit to be delivered via an HTML email.
Microsoft said in an advisory that it is aware of the attacks and is putting the finishing touches on a patch, but doesn't expect to deliver the patch before the usual monthly patch date – October 10. The company said it may deliver the patch earlier if needed.
The last time Microsoft delivered an out of cycle patch was early this year, for the WMF flaw. The company doesn't deliver out of cycle patches unless the threat is massive and ongoing.
In its advisory, Microsoft recommended users protect themselves by disabling scripting in Explorer, something that could be ineffective against future versions of the exploit. Also in the advisory, Microsoft explained how to disable the vulnerable Vgx.dll from the command line.
Another way of getting around the problem is to use another brrowser, say security experts.