Hackers are taking advantage of a new, unpatched Internet Explorer vulnerability to infect users visiting pornographic websites.

There's a number of unpatched (or so called 0-day) flaws around at the moment, but this one takes advantage of a flaw within the Vector Markup Language (VML) component of IE.

VML is an XML file that allows vector drawings to be delivered to surfers. The security bug is unrelated to a (still unpatched) flaw in Microsoft's Direct Animation Path (daxctle.ocx) ActiveX control discovered last week.

Security researchers at Sunbelt Software report the latest exploit is being used to install spyware on vulnerable systems visiting hostile sites.

To avoid such drive-by downloads, users are advised to avoid visiting pr0n sites. In the circumstances, use of an alternative browser such as Firefox or Opera is also to be advised.

A full write-up of the problem can by found in an advisory be the SANs Institute's Internet Storm Centre here. ®

Related stories

• Security flap over support ActiveX controls bug (27 February 2007)
• Dutch botnet duo sentenced (1 February 2007)
• Attackers end-run around IE security (8 November 2006)
• Web viruses drop off despite IE exploit flap (18 October 2006)
• Infection-by-cache risk unearthed (12 October 2006)
• Update Firefox JavaScript risk downplayed (3 October 2006)
• MS releases emergency IE fix (27 September 2006)
• MS mulls emergency IE fix (26 September 2006)
• Hackers target home users for cash (25 September 2006)
• Unofficial IE patch saves humanity (25 September 2006)
• Warnings grow over unpatched IE flaw (18 September 2006)
• Patch Tuesday omits critical Word fix (14 September 2006)
• Trojan targets 0-day Word vuln (5 September 2006)
• Unpatched enterprise security bugs proliferate (24 August 2006)
• Microsoft flaw fix opens users to attack (24 August 2006)
• ActiveX security faces storm before calm (2 August 2006)
• MS announces plans to deliver IE7 as security update (27 July 2006)
• Flaw finders lay siege to Microsoft Office (22 July 2006)
• Browser crashers warm to data fuzzing (13 April 2006)
• Patches released for zero-day IE threat (29 March 2006)