According to Norton Safeweb my site is infected with this treat on several pages:

Threat Name: MSIE Vector Markup Language Fill Method BO

Apparently Internet Explorer is vulnerable for this. What is it and what can I do about it?

Did a quick search for info and Nortons website had this page about it. From first glance looks like a simple thing to fix.
http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=50030

From first glance looks like a simple thing to fix.

I see how to solve if you use IE, but I don't see how to solve the cause of this.

Do you get any warning of this from your Antivirus if you access the website yourself?

Do you maintain the site yourself?

My first thought would be compare the live site with your version, and see if there exists any discrepancy, presumably some added javascript, although it says it can also be done without using javascript. Assuming something that shouldn't be there is there, ie it's not a false positive, modify anything you find that shouldn't be there, see if it makes the problem go away. If it comes back, it would seem to me that either the server side is compromised, or the computer you FTP from. If it cures it for a while then happens again, it could also indicate a problem with the host's security, or your access password somehow having become known to another party.

Is it a commercial site? I have known of one situation where it appeared a commercial site had a buffer overflow exploit planted on it so potential customers would be scared away, and the site would get a bad reputation rating. The exploit didn't have to do anything, just its code being there was enough.

Who is the webhost? Are they known for not helping you with threats like this... several are.

Thank you for the answers.
I downloaded all files and checked locally (with malwarebytes, spyterminator and avast), no problems found. My provider (helderhosting.nl, linux based) is helpful, checked the server side and found no problems. The phpBB team checked the phpBB files and database and found no problems.
I get not warnings (I use Firefox) myself. The site (hydra-glide.com) is not commercial and I maintain it myself.
I checked my home computer, no problems.
So I really do not know where to lok for. There are some members who complain they get the warning if they visit my site. Probably only Internet Explorer users, but even then there must be a reason.

Some members? OK ask them what antivirus they are using and which pages they get the message on and exactly what the message is. I don't get any warnings with IE8.

I'm thinking they have an antivirus or malware which is giving false positives.

OK, I will ask.

Is it just people using IE6?

No, also IE7.

None of the locations flagged by Safeweb cause any alerts for me using my laptop, with FF3, IE6 & Avast.

safeweb finds 11 threats on different pages for me... IE8 as well as FF3.. here (http://safeweb.norton.com/report/show?url=http%3A%2F%2Fwww.hydra-glide.com&x=0&y=0)

I wonder having read this (http://safeweb.norton.com/help/site_owners) whether safeweb needs to re-evaluate the site?

I asked for a re-evaluation teh day before yesterday and then they found two warnings. Now 11. Wonders what it's worth. Google safe browsing finds nothing. No complaints from members today, so it really is puzzling me.

I think you should get safeweb to provide you with exactly what is causing the warnings on safeweb. Explain politely that no one can find what is wrong with the code.

That is a good suggestion, will do that.

Our commercial site too gets this Norton Safe Web warning via IE/Goggle search:

Norton Safe Web has analyzed tshirtmagic.com for safety and security problems. Below is a sample of the threats that were found.
Threat Report
Total threats found: 1


Drive-By Downloads (what's this?)
Threats found: 1
Here is a complete list:

Threat Name: MSIE Vector Markup Language Fill Method BO
Location: http://www.tshirtmagic.com/

Norton referred us to these two pages:

http://www.phishreport.net/membership_FAQ.html
https://submit.symantec.com/false_positive/index.html

The false_positive submit form assumes your site offers software to download - we don't have any downloads on any of our site's pages?

Good luck panhead, will keep you informed if anything good comes from filling out their forms.

I asked Norton for a re-evaluation and then they found only one threat (though I changed nothing).
I downloaded all files from my site (again) and checked them (avast, spyware terminator and malwarebytes: no infections).
Further: if a file would be infected, then I assume you would see the warning everytime you visit that page? Well, that is not the case.
These stupid warnings drive me crazy!
Firefox: no problems.

??? Panhead, your site rates a "RED" flag (WARNING) for this:

Threat Report
Total threats found: 1


Drive-By Downloads (what's this?)
Threats found: 1
Here is a complete list:

Threat Name: MSIE Vector Markup Language Fill Method BO
Location: http://www.hydra-glide.com/scripts/toc6.php

??? While my site rates a "YELLOW" flag (CAUTION) for the same:

Threat Report
Total threats found: 1


Drive-By Downloads (what's this?)
Threats found: 1
Here is a complete list:

Threat Name: MSIE Vector Markup Language Fill Method BO
Location: http://www.tshirtmagic.com/


Web sites rated "Caution" in yellow may have a small number of threats and annoyances, but are not considered dangerous enough to warrant a red "Warning".

Quite confusing! Do you see a relation between Internet Explorer and these warnings?

Panhead Pancair, ask them for the line(s) of code that is causing the warning.

I asked them a few days ago, but no answer yet.

This is what the Unmask Parasites website says about my site:

This page seems to be <clean>

(but I still have members with malware)

Or do they have malware that they got elsewhere?

That is possible of course.

I am convinced that no files on my site are infected, the warnings are too irregular, but I still don't know where to look for the source of the problem.

Exactly why you need to ask safeweb for the lines of code that are causing the problem on their site.

Here is our last contact with Norton:


Priyanka: David, There may be some signatures or scripts which are not valid...
Priyanka: So, It is showing it is insecure.
Mr. David: ?? so what can we do to have it retested by Web Safe?
Priyanka: This is the issue which is not related to Norton.
Priyanka: So, You can contact your technician to get this issue resolved for you.
Mr. David: R U saying it is with our server - ISP?
Mr. David: is it possible that Norton Web Safe made an error?
Priyanka: Yes, It is with your server ISP.
Mr. David: let's say our ISP resolves the problem - how soon will Norton Web Safe warnings be removed?
Priyanka: David, As soon as the signatures and scripts will be updated.
Priyanka: By your ISP.

I removed all code (except html/head/body tags) from our home page for two hours and never shook the VML warning. :knife:

I hope we're going in the right direction - Norton Web Safe has now listed us as "not been tested yet" rather than "caution" warning.

Our ISP thinks our DOCTYPE may have been an issue:

OLD-
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
NEW-
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

But that doesn't explain why it also happens in .php files without html.

Ummm php is an engine. It outputs html. Safeweb can only "view source" as it were, so it looks at the php output, not the php itself.

Take a look at your flagged page here (http://www.hydra-glide.com/scripts/toc6.php) Right click and view source - you have no doctype at all - which is possible a fault of your template or css depending on how the site is designed.

I made that page :)
Do you suggest that I should add the doc type in the html statement?

As far as I can see now only IE users get the warnings.

Doctype is very important - it tells the browser (and various validation engines) how to interpret the code. Read here (http://www.w3schools.com/tags/tag_DOCTYPE.asp)

Thank you, I must admit that I didn't know that!

Finally, Norton Web Safe has our site listed as safe now!

Took us these four things to accomplish it.


Remove from our home page a long time <iframe> linking us with t-shirtshopper.com

Two phone contacts with Norton and three on-line requests to revisited our site.

Remove this line from our DOCTYPE: <html xmlns="http://www.w3.org/1999/xhtml">

And then finally had our ISP call Norton to resolve problem.

Good!

Remove this line from our DOCTYPE: <html xmlns="http://www.w3.org/1999/xhtml">

Where did you change it for (what is your html-statement now)?
How does your doctype statement look?

Sorry, Not our doctype statement but our <HTML>

Was incorrectly written like this:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

And now it is written like this:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

Although, I think having our ISP involved and calling Norton @ 1.800.695.0678 our resubmission was expedited.

When I changed it to what you described I got lots of errors and warnings when I validated it with W3.org.

Panhead, you have to write the code in the correct doctype too!
What warnings did you get on validation - which page did you validate?

I'm improving, I made a test .php file (www.hydra-glide.com/scripts/test_html.php).

Just 3 errors, now trying to find out where they come from, looks as if form the provider.

you have a php error at the moment...

I changed the code according to a W3.org recommendation, but that was not really successful...
It works again, but now with more errors.

Well, my provider blocked a couple of sites on the same server as mine and it looks like a big improvement. Let's see for how long...

you still have the wrong doc type (http://validator.w3.org/check?uri=http%3A%2F%2Fwww.hydra-glide.com%2Fscripts%2Ftest_html.php&charset=%28detect+automatically%29&doctype=Inline&group=0)

Yes, I'm still working on that!