Info

Disclosure

Sep 19, 2006

Discovery

Unknown

Dates

Exploit

Sep 19, 2006

Solution

Unknown

Description

A remote stack-based buffer overflow exists in Microsoft Internet Explorer. The browser's vml rendering engine fails to check the length of a fill parameter on the rect tag resulting in a stack-based buffer overflow. With a specially crafted request that contains a vml graphics, an attacker can cause arbitrary code execution resulting in a loss of integrity.

Classification

Location: Remote/Network Access Required
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Workaround, Patch
Exploit: Exploit Available
Disclosure: OSVDB Verified, Discovered in the Wild

Solution

Microsoft has released a patch to address this issue. Additionally, it is possible to correct the flaw by implementing the following workaround(s): To un-register Vgx.dll, follow these steps: Click Start, click Run, type "regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll " (without the quotation marks), and then click OK.

Products

Microsoft Corporation	Internet Explorer	5
		5.5
		6
		7 RC1

References

FrSIRT Advisory: ADV-2006-3679
Bugtraq ID: 20096
Microsoft Knowledge Base Article: 925486 925568
Generic Informational URL: http://blogs.securiteam.com/?p=640
http://sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit-being.html
http://www.avertlabs.com/research/blog/?p=90
http://www.w3.org/TR/NOTE-VML.html
Microsoft Security Bulletin: MS06-055
CERT VU: 416092
Milw0rm: 2425
Generic Exploit URL: http://downloads.securityfocus.com/vulnerabilities/exploits/20096.html
http://downloads.securityfocus.com/vulnerabilities/exploits/vml.c
Other Advisory URL: http://isc.sans.org/diary.html?storyid=1713
http://sunbeltblog.blogspot.com/2006/09/vulnerable-versions-of-outlook.html
http://vil.nai.com/vil/Content/v_140629.htm
http://vil.nai.com/vil/Content/v_vul26881.htm
ISS X-Force ID: 29004
Secunia Advisory ID: 21989
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-09/0327.html
CVE ID: 2006-3866 (see also: NVD) 2006-4868 (see also: NVD)
News Article: http://blog.washingtonpost.com/securityfix/2006/09/unofficial_patch_released_for_ ......
http://news.com.com/Microsoft+mulls+early+IE+patch+release/2100-1002_3-6119393.ht ......
http://www.eweek.com/article2/0,1895,2017626,00.asp
http://www.theinquirer.net/default.aspx?article=37781

Credit

Eric Sites - ericssunbelt-software.com - Sunbelt

Direct URL: http://osvdb.org/36218

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Microsoft Corporation

Internet Explorer

References

Credit