What's it called? The Common Vulnerabilities and Exposures list tentatively designates this vulnerability as CVE-2006-4868. McAfee calls it Exploit-VMLFill; Trend Micro calls it EXPL_EXECOD.A; Symantec calls it Trojan.Vimalov, reflecting its probable Russian origin. SecurityFocus assigns it a Bugtraq ID of 20096.

Which programs and versions are affected? Internet Security Systems reports that the flaw affects all versions of IE that include support for VML, which means versions 5 and 6, though tests so far have generally looked at version 6. There have been no reports of the attack working on IE 7. Recent versions of Outlook and Outlook Express are also vulnerable, as are all versions and service packs for Windows 2000 and XP. (IE on Win2003 runs by default in a restricted mode, in which certain binary and script behaviors are disabled; if those settings have been changed the system may be vulnerable.)

Are Mac, Linux or Unix systems vulnerable? What about Firefox? No, no, no and no. (Something Firefox aficionados are trumpeting loudly over in the SunbeltBlog comments That's not winning many popularity contests.)

How is the vulnerability exploited? So far, the exploit has been found in the wild on a handful of Russian sites, mostly porn-related. Propagation is via the usual routes, particularly e-mail, though IM or any service by which an HTML link can be sent will do. Users must click on an HTML link to load the affected document. Outlook or Outlook Express users who automatically open HTML messages are also at risk.

What's the sequence of events? Security veterans won't be surprised to learn that we have yet another buffer-overflow attack here. The buffer is deluged and overflows, pushing JavaScript shell code into adjacent buffers for execution. The code downloads a piece of malware and saves it to the hard drive as CPU.exe, after which Internet Explorer generally shuts down.