Info

Disclosure

Sep 19, 2006

Discovery

Unknown

Dates

Exploit

Sep 19, 2006

Solution

Sep 26, 2006

Description

A remote stack-based buffer overflow exists in Microsoft Internet Explorer. The browser's vml rendering engine fails to check the length of a fill parameter on the rect tag resulting in a stack-based buffer overflow. With a specially crafted request that contains a vml graphic, an attacker can cause arbitrary code execution resulting in a loss of integrity.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Workaround, Patch / RCS
Exploit: Exploit Public, Exploit Commercial
Disclosure: OSVDB Verified, Vendor Verified, Uncoordinated Disclosure, Discovered in the Wild

Solution

Microsoft has released a patch to address this issue. Additionally, it is possible to correct the flaw by implementing the following workaround(s): Disable active scripting, or change the access control list of vgx.dll. It has been reported that those recommendations have been reported to be unsuccessful. To un-register Vgx.dll, follow these steps: Click Start, click Run, type "regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll " (without the quotation marks), and then click OK.

Products

Microsoft Corporation	Internet Explorer	5
		5.5
		6
		7 RC1

References

CVE ID: 2006-3866 (see also: NVD) 2006-4868 (see also: NVD)
Bugtraq ID: 20096
Secunia Advisory ID: 21989
Milw0rm: 2425
Exploit Database: 2425
SCIP VulDB ID: 2552
Metasploit ID: 28946
ISS X-Force ID: 29004
CERT VU: 416092
Microsoft Knowledge Base Article: 925486 925568
VUPEN Advisory: ADV-2006-3679
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-09/0327.html
News Article: http://blog.washingtonpost.com/securityfix/2006/09/unofficial_patch_released_for_1.html
http://news.com.com/Microsoft+mulls+early+IE+patch+release/2100-1002_3-6119393.html
http://www.eweek.com/article2/0,1895,2017626,00.asp
http://www.theinquirer.net/default.aspx?article=37781
Generic Informational URL: http://blogs.securiteam.com/?p=640
http://sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit-being.html
http://www.avertlabs.com/research/blog/?p=90
http://www.w3.org/TR/NOTE-VML.html
Generic Exploit URL: http://downloads.securityfocus.com/vulnerabilities/exploits/20096.html
http://downloads.securityfocus.com/vulnerabilities/exploits/vml.c
http://downloads.securityfocus.com/vulnerabilities/exploits/vml.c
http://immunitysec.com
http://www.saintcorporation.com/cgi-bin/exploit_info/ie_vml_rect_fill
Other Advisory URL: http://isc.sans.org/diary.html?storyid=1713
http://sunbeltblog.blogspot.com/2006/09/vulnerable-versions-of-outlook.html
http://vil.nai.com/vil/Content/v_140629.htm
http://vil.nai.com/vil/Content/v_vul26881.htm
Microsoft Security Bulletin: MS06-055

Credit

Eric Sites - ericssunbelt-software.com - Sunbelt

Direct URL: http://osvdb.org/28946

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Microsoft Corporation

Internet Explorer

References

Credit