An unpatched vulnerability in all editions of Microsoft's Internet Explorer browser is being exploited, security researchers said Tuesday, with the attack dumping a broad range of adware, spyware, and Trojans onto PCs whose users simply surf to an infected or malicious site.

First reported by Sunbelt Software -- although rival Internet Security Systems claimed it was the first to discover the bug -- the vulnerability is in how IE renders VML (Vector Mark-up Language), an extension of XML that defines on-the-Web images in vector graphics format. The previously unknown -- and thus unpatched -- bug inside IE is already being used by attackers.

So far, said Eric Sites, vice president of research and development at Sunbelt, the exploit has shown up on hardcore porn sites, which are serving a buffet of badware to users who visit those sites.

"First they were pushing Virtumondo adware," said Sites, "but by late afternoon yesterday, these sites were distributing more than 40 different types of malware, including keyloggers, adware, and backdoors."

The new exploit seems to have a connection to WebAttacker, an multi-exploit attack "kit" created by a Russian group that sells for as little as $15 to $20. "We think that this new exploit is inside a new [version of the] kit," said Sites. "If that's true, then it will end up all over the place."

Sites said he expects that the exploit will migrate to one of the so-called "iframe cash" sites -- the term comes from the iframecash.biz site -- which use affiliates to push unpatched exploits to a large number of other Web sites, some of which are legitimate addresses whose servers have been previously compromised.

"This could end up being in lots and lots of places," said Sites.

Other researchers spotted the exploit on popular shared hosting distribution sites. The current in-the-wild exploit generates a stack overflow as soon as the user views an HTML page; once that happens, the attacker can push whatever code he wants onto the PC. "We're seeing this on dozens of different sites," said Gunter Ollmann, the director of Internet Security Systems' X-force research lab.

Both Sunbelt and ISS have confirmed that the exploit works against a fully-patched version of IE 6 running on Windows XP SP2. Ollmann also said that earlier editions, including 5.01, can be successfully breached, and that IE 7, Microsoft's under-construction next-generation browser, is "likely" at risk.

Late Tuesday morning, Microsoft acknowledged the bug, and said it was working on a fix. "The security update is now being finalized through testing to ensure quality and application compatibility and is on schedule to be released as part of the October security updates on October 10, 2006, or sooner as warranted," a spokesman said.

Shortly after that, Microsoft posted a security advisory that offered several workarounds in lieu of a patch, including setting the kill bit for the vulnerable .dll and disabling scripting behaviors in the browser. Virtually every security organization raised the alarm, including US-CERT, the federal cyber-alert agency, which issued a warning just before noon EDT.

And that's a good idea, said Ollmann of ISS. "This vulnerability lies within code that's shared by a large number of Microsoft products, so it has a much wider footprint of attack than other recent zero-day vulnerabilities.

"This is the kind of exploit that we see in IE only once every two or three months."

In fact, the last time that an unpatched bug in IE was widely used to distribute a broad range of malware was in March, when the CreateTextRange bug was used by scores of malicious sites to seed PCs with spyware and adware.

The attacks could also get worse. "With the nature of VML, attackers could embed this exploit inside e-mail," Ollmann said. A user who only viewed an HTML-based message would succumb to the attack, he added.

Microsoft's only advice to users was to keep their anti-virus software up to date, and not to surf to "untrusted" sites or open suspicious e-mail messages. Sunbelt, ISS, and other security vendors suggested that users could protect themselves against the current exploit by disabling JavaScript.

But even that might not work for long. "JavaScript isn't required for this exploit to work," said Ollmann. "It would be a trivial change to make it work without Java."

The VML vulnerability is the second unpatched flaw in IE that has been disclosed in the last five days. On Friday, researchers warned of a bug in IE's handling of an ActiveX control included with Windows.