Update: Email may be an attack vector.
From WebSense:
As reported we are actively researching the newest IE zero-day exploits that are surfacing (s: http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=449). To date we have discovered nearly 100 unique URL’s that are all attempting to run malicious code on the users machine without user-intervention.
One interesting aspect we are researching is the number of machines that appear to have been compromised here. The sheer percentage of sites that are compromised versus owned by the attacker is higher than usual. In particular we have noticed several travel related websites that are hosted on different networks.
Link here.
I don’t want to spread undue panic. This is not like the WMF exploit, which had the cruel aspect of using a graphic file to execute a payload. This fact broadened the attack vectors to graphics embedded in emails, graphics being viewed through Google Desktop, etc. This is not the same type of exploit.
However, we concur with the good folks over at WebSense — a lot of sites that we examined with this vulnerability are legitimate sites that have been compromised. It’s not just the usual porn and crack sites that some users go to.
There is no patch available for this exploit. The only way to avoid it is a) turn off Active Scripting or b) use a non-IE browser (although the latest version of IE 7, the March 20 beta 2 preview, is not affected). Your standard protections should be in place — antivirus, firewall, antispyware. Your antivirus program may catch it, but don’t count on it in the near future, as AV vendors themselves are in the process of getting out new definitions.
Alex Eckelberry