A zero-day vulnerability in Internet Explorer's Vector Markup Language (VML) handling was disclosed earlier this week. The vulnerability is being actively exploited through specific compromised websites; specific malware families are using the vulnerability for installation; Microsoft has yet to ship a patch.
This is a shorter operational post — the situation is still developing.
What is happening
The technical mechanism: a buffer overflow in vgx.dll, the IE component handling VML rendering. A specifically-crafted VML element triggers the overflow when IE renders the page; successful exploitation gives the attacker code execution at the user's privilege level.
The exploitation occurs through web browsing. A user visiting a compromised website (or following a link in a phishing email) exposes IE to the malicious VML; the exploitation completes without further user action; the malware installs.
The pattern is similar to the WMF zero-day at the end of 2005. Image-handling code with insufficient input validation; passive exploitation through normal browsing; broad attack surface.
What Microsoft has said
Microsoft published an advisory on 19 September acknowledging the vulnerability. The advisory describes the issue, lists affected products (Internet Explorer 6 SP1 on Windows XP, Server 2003, Windows 2000), and provides workarounds. No patch has shipped; the advisory says one is in development; the next regular Patch Tuesday is 10 October.
The workarounds:
- Unregister
vgx.dllto disable VML rendering. Breaks specific VML-using sites; the cumulative impact is small for most users. - Adjust IE security zone settings to restrict scripting in the Internet Zone. More aggressive than typical defaults; produces user-experience friction; the security benefit is meaningful.
- Use Firefox for general browsing. Not officially recommended by Microsoft; operationally rational for many users; my own browser-use pattern already favours Firefox.
What is structurally noteworthy
Two things.
The exploitation appeared before public disclosure. Specific compromised websites were observed exploiting the vulnerability before any public discussion of the bug. The pattern suggests private discovery and offensive use preceding the discovery by defensive researchers.
The structural implication: not all zero-days are publicly disclosed before exploitation begins. Specific exploitation infrastructure includes private vulnerabilities used at scale; the visible category of "publicly-disclosed zero-days" is the tip of a larger iceberg.
A third-party patch is circulating, again. Following the WMF precedent, specific researchers (notably ZERT — the Zero-day Emergency Response Team) have published an unofficial patch addressing the VML vulnerability without breaking VML rendering for legitimate sites. The patch is being distributed through trusted security channels.
The cumulative third-party patching pattern is now operationally established. Specific researchers organize to ship patches when vendor response is delayed; specific operators deploy the third-party patches ahead of vendor response.
What operators should do
For organisations running Windows infrastructure:
Deploy the workaround or third-party patch on critical systems. Unregistering vgx.dll is the simplest mitigation; the third-party patch from ZERT is operationally more elegant if the trust signal is acceptable. Either bounds exposure during the window.
User communication. Specific guidance about not visiting unfamiliar sites and about using Firefox for general browsing reduces exposure. The communication is bounded but useful.
Web-filtering for known malicious sites. Specific URLs distributing exploitation are documented; specific operators can block access through web-filtering infrastructure.
Monitor for compromised hosts. Specific malware installed through this vulnerability has known signatures; specific cleanup may be necessary on hosts that browsed compromised sites during the exposure window.
For end users:
Use Firefox for general browsing if available. The simplest defence is to avoid the vulnerable IE component for general browsing.
Apply Microsoft's patch when available. The official patch is the right long-term resolution; the workarounds are bridging measures.
What I am doing on my own infrastructure
For my own setup: minimal IE exposure; bounded direct risk. I have unregistered vgx.dll on the test machine where IE is occasionally needed; the third-party patch is on review.
For Gala Coral: standard incident response. Specific user communication about the issue; specific Web filtering of known malicious sites; specific monitoring for IE-based compromise indicators. The cumulative discipline is operationally adequate.
For client work where I have advisory roles: a brief note circulated yesterday with workaround guidance.
What I expect
Three predictions for early October.
Microsoft ships an official patch on or before the 10 October Patch Tuesday. 85% probability. The pressure is substantial; the engineering work is bounded; the regular cadence is the natural target.
Significant cumulative compromise occurs before the patch ships. 95% probability. The exploitation is active; specific hosts will be compromised during the window; the cumulative cleanup will be substantial.
Continued third-party patch activity for subsequent zero-days. 85% probability. The pattern is now established; specific subsequent incidents will see similar third-party response.
For my own continued writing: the third-party patch trajectory is structurally important. The cumulative archive of writing about disclosure and patch timing informs future structural assessments.
More as the situation develops.