At least if you browse dodgy Russian sites, that is.

Computerworld is reporting that the so called "Web Attacker" malware has been upgraded to take advantage of an unpatched flaw in Internet Explorer 6 - this time it's Microsoft's implementation of Vector Markup Language or VML that's "holey".

VML was Microsoft's suggested standard for vector graphics, but it was rejected by the W3C. Even so, MS implemented it in IE and Office, so watch out.

I don't know if IE7 betas are vulnerable to the exploit, but for now if you're using IE, turn off Javascript, even if it's a pain.

Update According to George Ou at ZDNet, hardware Data Execution Protection (DEP), stops the exploit. Hardware DEP comes courtesy of the NX (no execute) bit in modern CPUs from Intel and AMD, and Windows XP SP2 also offers software DEP which also mitigates the exploit.

Ou also has a workaround for the VML exploit, which is well worth doing. Nobody uses VML anyway.