VML Exploit 0Day (MS06-55)

Starting with the WMF (Windows Meta File) 0day back in Dec 05/Jan 06 Microsoft seems to be having an increasing number of 0days on it's hands. In particular, people now time their attacks so that they can not be patched by the monthly patch Tuesday. While the setSlice exploit is still making it's rounds, the VML 0day was discovered less than 2 weeks prior (edited to add: and even move 0days have been found since!). For those who are curious, VML (Vector_Markup_Language) is an XML way of defining vector graphics. It was rejected as a standard by the W3C, but still found it's way into IE.

Some more interesting things happened outside of the "normal" 0day "find, announce, workaround, patch"-cycle for this particular exploit however. Apparently it briefly saw placement on many hacked HostGator websites through malicious iframe link insertion, so that the compromised hosting sites look normal, but are then instructing user's browsers to access a piece of malicious content as well. It turns out that 'another', unrelated, 0day was used against the cPanel software to gain administrative control of the HostGator sites and insert the malicious iframe links. This is exactly the sort of malicious website compromise which leads to client compromise which The HoneyClient Project is helping to detect. It is also the reason why the commonly used "mitigating factor" in Microsoft vulnerability reports is not that mitigating.

More publicity for this vulnerability was stirred up when Zero-day Emergency Response Team (ZERT), released their 3rd party patch for this vulnerability. A second version of this patch even includes support for OS versions no longer supported by Microsoft. As with the 3rd party WMF patch before it (which was even endorsed by the ISC at the time), the general debate over whether and when people should use 3rd party patches called even more attention to this problem.

Since I'm reporting this after the fact, CVE and the Internet Storm Center have pre-collected the links for me, so I recommend visiting the following links.
This vulnerability has been given CVE ID CVE-2006-4868
See here for the ISC coverage which contains the links their own multiple entries about this issue, as well as the most relevant links to others' coverage.

Microsoft eventually released an off-schedule standalone patch. The MS security bulletin assigned to this threat is MS06-055.

Also, it is probably worth noting that this vulnerability has a Metasploit module for it.