-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA06-262A
Microsoft Internet Explorer VML Buffer Overflow
Original release date: September 19, 2006
Last revised: --
Source: US-CERT
Systems Affected
* Microsoft Windows
* Microsoft Internet Explorer
Overview
Microsoft Internet Explorer (IE) fails to properly handle Vector
Markup Language (VML) tags. This creates a buffer overflow
vulnerability that could allow a remote attacker to execute
arbitrary code.
I. Description
Microsoft Internet Explorer contains a stack buffer overflow in
code that handles VML. More information is available in
Vulnerability Note VU#416092 and Microsoft Security Advisory
(925568).
Note that this vulnerability is being exploited.
II. Impact
By convincing a user to open a specially crafted HTML document,
such as a web page or HTML email message, a remote attacker could
execute arbitrary code with the privileges of the user running IE.
III. Solution
We are currently unaware of a complete solution to this
problem. Until an update is available, consider the following
workarounds.
Disable VML support in IE
Microsoft Security Advisory (925568) suggests the following
techinques to disable VML support in IE:
* Un-register Vgx.dll on Windows XP Service Pack 1; Windows XP
Service Pack 2; Windows Server 2003 and Windows Server 2003
Service Pack 1
* Modify the Access Control List on Vgx.dll to be more restrictive
* Configure Internet Explorer 6 for Microsoft Windows XP Service
Pack 2 to disable Binary and Script Behaviors in the Internet
and Local Intranet security zone
Disabling VML support may cause web sites that use VML to function
improperly.
Render email as plain text
Microsoft Security Advisory (925568) suggests configuring Microsoft
Outlook and Outlook Express to render email messages in plain text
format.
Do not follow unsolicited links
In order to convince users to visit their sites, attackers often
use URL encoding, IP address variations, long URLs, intentional
misspellings, and other techniques to create misleading links. Do
not click on unsolicited links received in email, instant messages,
web forums, or internet relay chat (IRC) channels. Type URLs
directly into the browser to avoid these misleading links. While
these are generally good security practices, following these
behaviors will not prevent exploitation of this vulnerability in
all cases, particularly if a trusted site has been compromised or
allows cross-site scripting.
IV. References
* Vulnerability Note VU#416092 -
<http://www.kb.cert.org/vuls/id/416092>
* Securing Your Web Browser-
<http://www.us-cert.gov/reading_room/securing_browser/#Internet_Ex
plorer>
* Microsoft Security Advisory (925568) -
<http://www.microsoft.com/technet/security/advisory/925568.mspx>
* CVE-2006-3866 -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3866>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-262A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@xxxxxxxx> with "TA06-262A Feedback VU#416092" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
Sep 19, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRRBphexOF3G+ig+rAQKjKwf/SqhuYNpSDw7n677sSaIPQArefSWbVZOy
oTDVz6Xg9bJ5mMiueAQY+OYDn/kHo3WepBdRjx+Cj36Js+9l2lTF+MO5S3k4AFWW
vG8RHLAvpaxCGWAupy8HjMW3MG+1unioJZYd8Xu916RUjgyVq36V0uSsAhaaBv2h
oRA7fft30VtTlOQ0TQFd+cJSH7uyfXA31e3tVTzDpclXvskm8Rb5h/KFP56i52ld
Uz/SSXPIIoFM0GTMknOSPh32Itp+MJj7ZDKQ2E2GR1GurUC33MObOUeRINrLndfX
9I2bbDcTw5vVnWFWqm45KRZTEvbBXNOXhAtgZmYje2NF4IxxvMiGhw==
=I3e8
-----END PGP SIGNATURE-----
