31250 : Microsoft IE Vector Markup Language (VML) Overflow
Printer | http://osvdb.org/31250 | Email This | Edit Vulnerability

Views This Week

Views All Time

444

Info

Last Modified

about 1 year ago

Percent Complete

100%

Disclosure

Jan 09, 2007

Discovery

Oct 03, 2006

Dates

Exploit

Unknown

Solution

Unknown

Keywords

No Keywords

Description

A heap buffer overflow exists in Microsoft Internet Explorer. The browser's vml rendering engine fails to check the length of a unspecified buffer. With a specially crafted request that contains vml graphics, an attacker can cause arbitrary code execution resulting in a loss of integrity.

Classification

Location: Remote/Network Access Required
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Unknown
Disclosure: OSVDB Verified

Technical

Microsoft Internet Explorer is only vulnerable under Microsoft Windows 2000 or XP. The browser is not vulnerable under Vista.

This vulnerability exists due to insufficient input validation within
vgx.dll. Two integer properties are multiplied together and no overflow
check is performed. This could allow an attacker to force a memory
allocation of a smaller amount of memory than is required. When copying
user supplied data into the newly allocated memory, it is possible to
overwrite a function pointer stored on the heap, which leads to the
execution of arbitrary code.

Solution

Microsoft has released a patch to address this issue. Additionally, it is possible to correct the flaw by implementing the following workaround(s):
Unregister the vgx.dll.

Products

Microsoft Corporation	Internet Explorer	5
		6
		7

References

Security Tracker: 1017489
CERT VU: 122084
CVE ID: 2007-0024 (see also: NVD)
Bugtraq ID: 21930
Secunia Advisory ID: 23677
Related OSVDB ID: 31250
ISS X-Force ID: 31287
Microsoft Knowledge Base Article: 929969
FrSIRT Advisory: ADV-2007-0105 ADV-2007-0129
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-01/0254.html
http://archives.neohapsis.com/archives/bugtraq/2007-01/0386.html
http://archives.neohapsis.com/archives/bugtraq/2007-01/0416.html
http://www.securityfocus.com/archive/1/archive/1/457053/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/457164/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/457274/100/0/threaded
Generic Informational URL: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=462
http://support.microsoft.com/?kbid=929969
http://www.microsoft.com/technet/security/Bulletin/MS07-004.mspx
http://www.us-cert.gov/cas/techalerts/TA07-009A.html
http://www.w3.org/TR/NOTE-VML
Other Advisory URL: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=462
Vendor Specific News/Changelog Entry: http://support.avaya.com/elmodocs2/security/ASA-2007-009.htm
News Article: http://www.eweek.com/article2/0,1759,2082416,00.asp
Microsoft Security Bulletin: MS07-004
US-CERT Cyber Security Alert: TA07-009A

Tools & Filters

Nessus	24000
Snort	9848 9849

Credit

Moti Joseph - -

Blogs

Provided by Technorati

None found at this time

Comments

Add Comment Hide Add Comment

No Comments.

DONATE NOW!

User Status

Account
- Login
- Sign-Up

Quick Searches

Views This Week

Views All Time

Info

Last Modified

Percent Complete

Disclosure

Discovery

Dates

Exploit

Solution

Keywords

Description

Classification

Technical

Solution

Products

Microsoft Corporation

Internet Explorer

References

Tools & Filters

Credit

Blogs

Comments