Microsoft has said it is considering releasing a patch for the VML flaw in Internet Explorer, which is being actively exploited by several thousand sites.

Meanwhile, over the weekend, attackers compromised the security of several web hosting companies in a well-organised effort to redirect users from legitimate websites to those hosting the VML flaw, according to the hosting companies involved.

And on Sunday, hackers released sample code showing how to exploit the IE flaw on a fully patched version of Windows XP, a move that security experts believe will step up the attacks.

The bug has to do with the way IE processes web-based graphics code written in the Vector Markup Language (VML). It was first reported Monday 18 September by researchers at Sunbelt Software, who found that attackers were exploiting this vulnerability on a number of pornographic websites. The vulnerability allows attackers to silently install applications of their choosing.

On Friday, Scott Deacon of Microsoft's Security Response Centre reassured users that the company had developed a fix for the VML flaw, and needed only to complete tests before releasing it.

"We've made some progress in our testing pass for the update, and are now evaluating releasing this outside the monthly cycle," he said on a MSRC blog.

He said the timing of the release depends on when the patch reaches an acceptable level of quality. "If that occurs prior to the monthly cycle, then we will release," he wrote.

He said Microsoft has not seen much evidence of attacks using the flaw - in sharp contrast to reports from various security vendors. "Attacks remain limited. There's been some confusion about that, that somehow attacks are dramatic and widespread," he said. "We're just not seeing that from our data, and our Microsoft Security Response Alliance partners aren't seeing that at all either."

Sunbelt Software, which originally reported the flaw last week, has estimated there are now several thousand sites deploying exploits for the flaw, with one site attempting to install upwards of 50 pieces of malicious code.

Attacks are spreading, with security company Websense reporting on Monday that email versions of the exploit is now making the rounds. For example, attackers are circulating authentic-looking email greeting cards with links to malicious sites.

In what may be the most dangerous attack so far, Web hosting company HostGator said attackers took over some of its sites and those of three other hosting companies using a separate zero-day flaw in cpanel, an application used by many hosting services. The attackers then planted an iframe script in websites that directed visitors to malicious addresses bearing the VML flaw, according to Brent Oxley, HostGator's owner.

The company hosts around 500,000 addresses, and while not all of these were compromised, thousands were, Oxley said. The attack lasted from late Thursday to Saturday afternoon, he said.

The VML hole, and other zero-day vulnerabilities like it, represent a golden opportunity for criminals by allowing them to install spyware and other malware of their choosing on large number of machines. But finding a way to lure victims to sites carrying the infected payload remains a key challenge. Criminals involved in this weekend's attack solved that problem by using a previously unknown vulnerability in cpanel, the leading software used to manage large numbers of websites, to gain access to hundreds or thousands of servers that dish up web pages.

"That speaks to a significant degree of planning," said Roger Thompson, CTO of Exploit Prevention Labs. "The significant thing is that it was a mass hack with a zero day that worked."

A nonprofit group called ZERT last week released its own patch for the VML flaw, saying the situation was too dangerous to wait for Microsoft.

Microsoft said it didn't recommend applying third-party patches, saying security best practice is to use patches only from the original software vendor.

As a temporary workaround, Microsoft has advised users to unregister the dll used to render VML images. Information on how to do this, along with other possible workarounds for the problem can be found here.

Sunbelt said on Monday that another unpatched IE flaw is now being actively used to plant malicious code on users' systems. The bug is related to an ActiveX control called daxctle.ocx, Sunbelt said.

InfoWorld staff and Robert McMillan of IDG News Service contributed to this report.