Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:14338
HistorySep 20, 2006 - 12:00 a.m.

US-CERT Vulnerability Note VU#416092

2006-09-2000:00:00
vulners.com
9

Vulnerability Note VU#416092
Microsoft Internet Explorer VML stack buffer overflow
Overview
Microsoft Internet Explorer (IE) fails to properly handle Vector Markup Language tags. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
I. Description
Microsoft IE version 5.0 and higher support the Vector Markup Language (VML), which is a set of XML tags for drawing vector graphics. IE fails to properly handle malformed VML tags allowing a stack buffer overflow to occur. If a remote attacker can persuade a user to access a specially crafted web page with IE, that attacker may be able to trigger the buffer overflow.

On Windows XP SP2 systems the vulnerable component (VGX.DLL) is compiled with the /GS (Buffer Security Check) flag, making exploitation more difficult.

Note that this vulnerability is actively being exploited.
II. Impact
A remote, unauthenticated attacker can execute arbitrary code on a vulnerable system.
III. Solution

We are currently unaware of a practical solution to this problem. Until a patch or update is available consider the following workarounds:

Disable VML support in IE

Microsoft Security Advisory (925568) suggests the following techinques to disable VML support in IE:

* Un-register Vgx.dll on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1
* Modify the Access Control List on Vgx.dll to be more restrictive
* Configure Internet Explorer 6 for Microsoft Windows XP Service Pack 2 to disable Binary and Script Behaviors in the Internet and Local Intranet security zone

Do not follow unsolicited links

In order to convince users to visit their sites, attackers often use URL encoding, IP address variations, long URLs, intentional misspellings, and other techniques to create misleading links. Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting.
Systems Affected
Vendor Status Date Updated
Microsoft Corporation Vulnerable 20-Sep-2006
References

http://www.us-cert.gov/cas/techalerts/TA06-262A.html
http://sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit-being.html
http://msdn.microsoft.com/workshop/author/vml/SHAPE/introduction.asp
http://www.microsoft.com/technet/security/advisory/925568.mspx
Credit

This vulnerability was reported by Sunbelt Software.

This document was written by Jeff Gennari.
Other Information
Date Public 18.09.2006
Date First Published 19.09.2006 11:14:35
Date Last Updated 20.09.2006
CERT Advisory
CVE Name CVE-2006-3866
Metric 37,87
Document Revision 30

Related for SECURITYVULNS:DOC:14338