Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > September 2006 > Technical Cyber Security Alert TA06-262A: Microsoft Internet Explorer VML Buffer Overflow

September 2006

Technical Cyber Security Alert TA06-262A: Microsoft Internet Explorer VML Buffer Overflow

ID: 00636
Ref: 609/2006
Date: 20 September 2006:14:08:35
Version: 1
Title: Technical Cyber Security Alert TA06-262A: Microsoft Internet Explorer VML Buffer Overflow
Abstract: Microsoft Internet Explorer contains a stack buffer overflow in code that handles VML. More information is available in Vulnerability Note VU#416092 and Microsoft Security Advisory (925568).
Vendors affected: US-CERTS
Operating systems affected: US-CERTS
Applications affected: US-CERTS
Title
=====

Technical Cyber Security Alert TA06-262A: Microsoft Internet Explorer VML Buffer Overflow

Detail
======

Microsoft Internet Explorer contains a stack buffer overflow in
code that handles VML. More information is available in
Vulnerability Note VU#416092 and Microsoft Security Advisory
(925568).


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


National Cyber Alert System

Technical Cyber Security Alert TA06-262A


Microsoft Internet Explorer VML Buffer Overflow

Original release date: September 19, 2006
Last revised: --
Source: US-CERT


Systems Affected

* Microsoft Windows
* Microsoft Internet Explorer


Overview

Microsoft Internet Explorer (IE) fails to properly handle Vector
Markup Language (VML) tags. This creates a buffer overflow
vulnerability that could allow a remote attacker to execute
arbitrary code.


I. Description

Microsoft Internet Explorer contains a stack buffer overflow in
code that handles VML. More information is available in
Vulnerability Note VU#416092 and Microsoft Security Advisory
(925568).

Note that this vulnerability is being exploited.


II. Impact

By convincing a user to open a specially crafted HTML document,
such as a web page or HTML email message, a remote attacker could
execute arbitrary code with the privileges of the user running IE.


III. Solution

We are currently unaware of a complete solution to this
problem. Until an update is available, consider the following
workarounds.

Disable VML support in IE

Microsoft Security Advisory (925568) suggests the following
techinques to disable VML support in IE:

* Un-register Vgx.dll on Windows XP Service Pack 1; Windows XP
Service Pack 2; Windows Server 2003 and Windows Server 2003
Service Pack 1

* Modify the Access Control List on Vgx.dll to be more restrictive

* Configure Internet Explorer 6 for Microsoft Windows XP Service
Pack 2 to disable Binary and Script Behaviors in the Internet
and Local Intranet security zone

Disabling VML support may cause web sites that use VML to function
improperly.

Render email as plain text

Microsoft Security Advisory (925568) suggests configuring Microsoft
Outlook and Outlook Express to render email messages in plain text
format.

Do not follow unsolicited links

In order to convince users to visit their sites, attackers often
use URL encoding, IP address variations, long URLs, intentional
misspellings, and other techniques to create misleading links. Do
not click on unsolicited links received in email, instant messages,
web forums, or internet relay chat (IRC) channels. Type URLs
directly into the browser to avoid these misleading links. While
these are generally good security practices, following these
behaviors will not prevent exploitation of this vulnerability in
all cases, particularly if a trusted site has been compromised or
allows cross-site scripting.


IV. References

* Vulnerability Note VU#416092 -


* Securing Your Web Browser-
plorer>

* Microsoft Security Advisory (925568) -


* CVE-2006-3866 -



____________________________________________________________________

The most recent version of this document can be found at:


____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to with "TA06-262A Feedback VU#416092" in the
subject.

Produced 2006 by US-CERT, a government organization.

Terms of use:


____________________________________________________________________


Revision History

Sep 19, 2006: Initial release

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRRBphexOF3G+ig+rAQKjKwf/SqhuYNpSDw7n677sSaIPQArefSWbVZOy
oTDVz6Xg9bJ5mMiueAQY+OYDn/kHo3WepBdRjx+Cj36Js+9l2lTF+MO5S3k4AFWW
vG8RHLAvpaxCGWAupy8HjMW3MG+1unioJZYd8Xu916RUjgyVq36V0uSsAhaaBv2h
oRA7fft30VtTlOQ0TQFd+cJSH7uyfXA31e3tVTzDpclXvskm8Rb5h/KFP56i52ld
Uz/SSXPIIoFM0GTMknOSPh32Itp+MJj7ZDKQ2E2GR1GurUC33MObOUeRINrLndfX
9I2bbDcTw5vVnWFWqm45KRZTEvbBXNOXhAtgZmYje2NF4IxxvMiGhw==
=I3e8
- -----END PGP SIGNATURE-----

  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |