Ended up flipping a coin a to whether to post here or in Announcements, as this does not actually deal with a SpamCop.net issue. On the down side, it's hard to say how many folks will actually navigate their way here ..???

Per the Advisory: Vulnerability in Internet Explorer Could Allow Remote Code Execution, Microsoft has been very busy. Unfortunately, this includes adding more versions of IE to the list. The suggested 'fixes/workarounds' thus far have been pretty much poo-poo'd by most security folks.

Not stated in this Advisory is a currently much replicated announcement that Microsoft is planning on released a patch tomorrow .. definitely way off their normally scheduled 'patch Tuesday' mode.

If you are using IE and the Windows update isn't set for some kind of automatic mode, please make sure that you manually hit the Windows Update site tomorrow to at least look to see if this patch actually did make it out. Of course, the suspected follow-on issue is just what versions will be provided with a patch, suspecting those IE5 and IE6 users may find themselves left out.

The problem is that the exploits are already out there and apparently spreading pretty fast. Example article;
Microsoft Issuing Emergency Patch For Internet Explorer

The company on Saturday warned that 1 in 500 Internet Explorer users worldwide may have been exposed to malware hosted at both legitimate Web sites and porn sites that exploit an unpatched vulnerability.

Microsoft confirmed finding exploit code on a search engine in Taiwan and on a Web site in Hong Kong that serves adult entertainment content.

"Based on our stats, since the vulnerability has gone public, roughly 0.2% of users worldwide may have been exposed to websites containing exploits of this latest vulnerability," Microsoft Security Response Center researchers Ziv Mador and Tareq Saade said in a blog post. "That percentage may seem low, however it still means that a significant number of users have been affected. The trend for now is going upwards: We saw an increase of over 50% in the number of reports today compared to yesterday."
........
Microsoft however says it is aware only of attacks affecting Internet Explorer 7 under the following systems: Windows XP Service Pack 2, Windows XP Service Pack 3, Windows Server 2003 Service Pack 1, Windows Server 2003 Service Pack 2, Windows Vista, Windows Vista Service Pack 1, and Windows Server 2008.
.......
In a blog post on Tuesday titled "Stop Viewing Porn in Internet Explorer... For Now," Graham Cluley, senior technology consultant at Sophos, said that his company is seeing about 20,000 new infected Web pages appearing every day and that most of those sites are legitimate sites compromised by SQL injection attacks.

Stephan Chenette, manager of security research at Websense Security Labs, said in a phone interview that he's seeing a lot more legitimate sites being infected than porn sites. "I would characterize the severity as quite critical," he said. "It has quickly become the exploit of choice among attackers."
Needless to say, that last paragraph seems to be the scariest.

Manual and auto updates available as advertized - for example "Security Update for Internet Explorer 7 for Windows XP (KB960714)" - XP Pro, SP3. Pretty sure there's a patch for IE6 too, not sure about IE8 beta - easy to check if any concerns.

Which begs the question of how one might determine whether one's website were a vector for this. I don't worry about my personal computers (it has been many years since MS stopped releasing Mac versions of IE), but I do worry about my website (standard BSD/Apache hosting). I do run small casual blog which does use MySQL.

Anybody got any dope on what to look for on a website?

-- rick

Dunno Rick but I think there are some hints in the links at http://www.cve.mitre.org/cgi-bin/cvename.c...e=CVE-2008-4844

Also, assuming further redirection to an infector site there must be some code naming it, shadowserver lists those, might also have some clues on the 'footprint' - http://www.shadowserver.org/wiki/

Thanks for the pointers. Also, it occurred to me that I could check the logs for unusual volumes of traffic (which, in the case of my blog, is pretty much any traffic at all!).

-- rick

Yeah, volume or pattern or origin, anything unusual, same thought occurred to me about the same time.

Remembering malformed XML tags can be part of the exploit, IIUC, you could also run a page checker over your site (those pesky web-based checkers that tell you your lovingly hand-crafted site is a PoCC) - shouldn't be too hard from shadowserver to get an example of an 'affected' site to use for comparison, see if it picks up the significant 'errors'. Guess this sort of stuff isn't spelled out in specific detail in too many places.