A vulnerability was recently discovered in Microsoft Windows Vector Markup Language (VML). This issue allows an attacker to execute malicious code through an HTML page in Internet Explorer, or in an HTML formatted email. Sunbelt first found and reported this exploit on September 18, 2006, after finding samples in the wild.

The CA Security Advisor team has observed malware that utilizes this vulnerability to drop a payload that includes device drivers with rootkit-like behavior. Research is continuing, and more details will be posted on the Security Advisor Research Blog as they become available.

On September 19, 2006, Microsoft published a security advisory at URL http://www.microsoft.com/technet/security/advisory/925568.mspx stating that a vulnerability in the Microsoft Windows implementation of Vector Markup Language could allow remote code execution. At the time, Microsoft is planning to release a security update on October 10, 2006 for the affected operating systems.

To protect against this exploit, unregister vgx.dll (the dll with the vulnerability) by clicking on Start and then Run and typing the following command:

Regsvr32 /u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"