An vulnerability in Internet Explorer is now being exploited in order to install malware on a victim’s machines. All versions of Internet Explorer from Internet Explorer 5.01 Service Pack 4 to Internet Explorer 8 Beta 2 are potentially vulnerable.
The flaw can be exploited by simply visiting a website containing the malicious code. Users can be taken to one of these websites by clicking on a link in spam or instant message or by visiting a legitimate website that has been hacked. Legitimate websites are being compromised via SQL injection attacks and modified to include the exploit.
Microsoft has not yet released a patch however they have published a security advisory giving more details about the vulnerability and a blog post clarifying the various workarounds.
Shadowserver.org has posted a list of domains that are exploiting this vulnerability.
Other browsers, such as Firefox are not vulnerable.
Update: 17 December 2008:
Microsoft has now released a patch for this vulnerability. Ensure your systems are updated asap.
