Security Alert Issued For Microsoft Internet Explorer

U.S. Cert has issued the following Security Alert for Internet Explorer which has yet to be addressed by a Microsoft Patch.

Vulnerability Note VU#416092

Microsoft IE version 5.0 and higher support the Vector Markup Language (VML), which is a set of XML tags for drawing vector graphics. IE fails to properly handle malformed VML tags allowing a stack buffer overflow to occur. If a remote attacker can persuade a user to access a specially crafted web page with IE, that attacker may be able to trigger the buffer overflow.

It should be noted that this exploit is actively being exploited and there is no readily available solution available. Until a patch is released, it is advisable to configure Microsoft Outlook and Outlook Express to render email messages in plain text format.

A statement from Microsoft says "A security update to address this vulnerability is now being finalized through testing to ensure quality and application compatibility. Microsoft's goal is to release the update on Tuesday, October 10, 2006, or sooner depending on customer needs".

They do offer a workaround available at M.S. Security Advisory 925568.