A new vulnerability in IE's VML engine has been reported. While VML is rarely used, this vulnerability is critical because:
- any website can exploit the hole by embedding VML inside HTML.
- any email sender can send HTML email with hostile VML
This one is serious enough for me to take action without waiting for a patch from Microsoft and I suggest you do the same by choosing one of the workarounds listed here.
Since none of my tools rely on VML (AFLAX does but I am not using AFLAX yet), I chose to disable VML by unregistering VGX.dll with following command:
regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"
p dir=”ltr”>To restore VML later, use the same command without -u.